VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 14, 2020· Updated Aug 6, 2024

CVE-2015-1869

CVE-2015-1869

Description

ABRT default event scripts follow symlinks, allowing local privilege escalation via symlink attack on var_log_messages.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ABRT default event scripts follow symlinks, allowing local privilege escalation via symlink attack on var_log_messages.

Vulnerability

The default event handling scripts in the Automatic Bug Reporting Tool (ABRT) follow symbolic links, allowing local attackers with write access to an ABRT problem directory (e.g., /var/tmp/abrt or /var/spool/abrt) to escalate their privileges [1][4]. This affects ABRT versions prior to the fixes introduced in commits 7417505 [2] and 3287aa1 [3] (circa May 2015). The attack is demonstrated using a var_log_messages file that is a symbolic link to a file in /etc/cron.hourly [4].

Exploitation

To exploit this vulnerability, an attacker must have write access to an ABRT problem directory. The attacker creates a symbolic link within that directory (e.g., var_log_messages) pointing to a sensitive file such as /etc/cron.hourly/evil. When the default event handling scripts run as root (triggered by a crash or other event), they follow the symlink and write data to the target file, injecting arbitrary commands that can be executed with root privileges [1][4].

Impact

Successful exploitation allows a local user to escalate privileges to root. By writing to a cron script, the attacker can execute arbitrary code with root privileges, leading to full system compromise [1][4].

Mitigation

The vulnerability is fixed in ABRT commits 7417505 [2] and 3287aa1 [3], which restrict event script execution to the root user and prevent non-root users from triggering post-create actions. Users should update ABRT to a version containing these patches (e.g., ABRT 2.1.11-13 or later, as provided by Red Hat and Fedora). As a workaround, ensure that problem directories are not writable by unprivileged users, and disable the default event scripts if possible [1][4].

References
  1. security - Re: Problems in automatic crash analysis frameworks
  2. daemon, dbus: allow only root to create CCpp, Koops, vmcore and xorg · abrt/abrt@7417505
  3. daemon: allow only root user to trigger the post-create · abrt/abrt@3287aa1
  4. default event scripts follow symbolic links

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Red Hat/ABRTllm-fuzzy
    Range: <=2.6.0-1
  • ABRT/ABRTv5
    Range: before 7417505e1d93cc95ec648b74e3c801bc67aacb9f

Patches

2
7417505e1d93

daemon, dbus: allow only root to create CCpp, Koops, vmcore and xorg

https://github.com/abrt/abrtJakub FilakMay 7, 2015via nvd-ref
commit
4 files changed · +36 2
  • src/daemon/abrt-server.c+1 1 modified
    @@ -487,7 +487,7 @@ static gboolean key_value_ok(gchar *key, gchar *value)
         }
     }
 
-    return TRUE;
+    return allowed_new_user_problem_entry(client_uid, key, value);
 }
 
 /* Handles a message received from client over socket. */
  • src/dbus/abrt-dbus.c+9 1 modified
    @@ -168,13 +168,20 @@ bool allowed_problem_dir(const char *dir_name)
 
 static char *handle_new_problem(GVariant *problem_info, uid_t caller_uid, char **error)
 {
+    char *problem_id = NULL;
     problem_data_t *pd = problem_data_new();
 
     GVariantIter *iter;
     g_variant_get(problem_info, "a{ss}", &iter);
     gchar *key, *value;
     while (g_variant_iter_loop(iter, "{ss}", &key, &value))
     {
+        if (allowed_new_user_problem_entry(caller_uid, key, value) == false)
+        {
+            *error = xasprintf("You are not allowed to create element '%s' containing '%s'", key, value);
+            goto finito;
+        }
+
         problem_data_add_text_editable(pd, key, value);
     }
 
@@ -189,12 +196,13 @@ static char *handle_new_problem(GVariant *problem_info, uid_t caller_uid, char *
     /* At least it should generate local problem identifier UUID */
     problem_data_add_basics(pd);
 
-    char *problem_id = problem_data_save(pd);
+    problem_id = problem_data_save(pd);
     if (problem_id)
         notify_new_path(problem_id);
     else if (error)
         *error = xasprintf("Cannot create a new problem");
 
+finito:
     problem_data_free(pd);
     return problem_id;
 }
  • src/include/libabrt.h+2 0 modified
    @@ -51,6 +51,8 @@ char *get_backtrace(const char *dump_dir_name, unsigned timeout_sec, const char
 bool dir_is_in_dump_location(const char *dir_name);
 #define dir_has_correct_permissions abrt_dir_has_correct_permissions
 bool dir_has_correct_permissions(const char *dir_name);
+#define allowed_new_user_problem_entry abrt_allowed_new_user_problem_entry
+bool allowed_new_user_problem_entry(uid_t uid, const char *name, const char *value);
 
 #define g_settings_nMaxCrashReportsSize abrt_g_settings_nMaxCrashReportsSize
 extern unsigned int  g_settings_nMaxCrashReportsSize;
  • src/lib/hooklib.c+24 0 modified
    @@ -483,3 +483,27 @@ bool dir_has_correct_permissions(const char *dir_name)
     }
     return true;
 }
+
+bool allowed_new_user_problem_entry(uid_t uid, const char *name, const char *value)
+{
+    /* Allow root to create everything */
+    if (uid == 0)
+        return true;
+
+    /* Permit non-root users to create everything except: analyzer and type */
+    if (strcmp(name, FILENAME_ANALYZER) != 0
+     && strcmp(name, FILENAME_TYPE) != 0
+     /* compatibility value used in abrt-server */
+     && strcmp(name, "basename") != 0)
+        return true;
+
+    /* Permit non-root users to create all types except: C/C++, Koops, vmcore and xorg */
+     if (strcmp(value, "CCpp") != 0
+      && strcmp(value, "Kerneloops") != 0
+      && strcmp(value, "vmcore") != 0
+      && strcmp(value, "xorg") != 0)
+        return true;
+
+    error_msg("Only root is permitted to create element '%s' containing '%s'", name, value);
+    return false;
+}
3287aa12eb20

daemon: allow only root user to trigger the post-create

https://github.com/abrt/abrtJakub FilakMay 6, 2015via nvd-ref
commit
1 file changed · +8 11
  • src/daemon/abrt-server.c+8 11 modified
    @@ -178,16 +178,6 @@ static int run_post_create(const char *dirname)
             return 403;
         }
     }
-    else if (!dump_dir_accessible_by_uid(dirname, client_uid))
-    {
-        if (errno == ENOTDIR)
-        {
-            error_msg("Path '%s' isn't problem directory", dirname);
-            return 404; /* Not Found */
-        }
-        error_msg("Problem directory '%s' can't be accessed by user with uid %ld", dirname, (long)client_uid);
-        return 403; /* Forbidden */
-    }
 
     int child_stdout_fd;
     int child_pid = spawn_event_handler_child(dirname, "post-create", &child_stdout_fd);
@@ -741,14 +731,21 @@ static int perform_http_xact(void)
     /* Body received, EOF was seen. Don't let alarm to interrupt after this. */
     alarm(0);
 
+    int ret = 0;
     if (url_type == CREATION_NOTIFICATION)
     {
+        if (client_uid != 0)
+        {
+            error_msg("UID=%ld is not authorized to trigger post-create processing", (long)client_uid);
+            ret = 403; /* Forbidden */
+            goto out;
+        }
+
         messagebuf_data[messagebuf_len] = '\0';
         return run_post_create(messagebuf_data);
     }
 
     /* Save problem dir */
-    int ret = 0;
     unsigned pid = convert_pid(problem_info);
     die_if_data_is_missing(problem_info);

Vulnerability mechanics

Root cause

"Missing authorization checks in ABRT's D-Bus and socket handlers allow unprivileged local users to create problem entries with privileged analyzer types, enabling symlink-based privilege escalation via the event hook scripts."

Attack vector

A local unprivileged user can craft a problem entry via the D-Bus interface or the ABRT socket, setting the `analyzer` or `type` fields to values such as `CCpp`, `Kerneloops`, `vmcore`, or `xorg` [patch_id=2246994]. Because the event-handling scripts for those types run with elevated privileges, the attacker can then use a symlink attack on a file like `var_log_messages` inside the problem directory to overwrite arbitrary files or execute code as root [ref_id=1]. The attacker must be able to communicate with the ABRT daemon over D-Bus or the local socket, which is the default configuration on many systems.

Affected code

The vulnerability spans the D-Bus handler (`src/dbus/abrt-dbus.c`), the server socket handler (`src/daemon/abrt-server.c`), and the new access-control function in `src/lib/hooklib.c`. The `handle_new_problem` function in `abrt-dbus.c` and the `key_value_ok` function in `abrt-server.c` lacked any authorization check before accepting problem entries from non-root callers. The `run_post_create` path in `abrt-server.c` also allowed non-root users to trigger the post-create event hook.

What the fix does

Patch [patch_id=2246994] introduces the `allowed_new_user_problem_entry()` function that rejects non-root users from setting the `analyzer`, `type`, or `basename` fields to the privileged analyzer values `CCpp`, `Kerneloops`, `vmcore`, or `xorg`. This check is added to both the D-Bus handler (`handle_new_problem`) and the socket handler (`key_value_ok`). Patch [patch_id=2246993] removes the per-directory access check in `run_post_create` and instead rejects all non-root callers at the top of the `CREATION_NOTIFICATION` branch, ensuring only root can trigger the post-create event hook. Together these patches prevent unprivileged users from injecting crafted problem data that would cause privileged event scripts to execute.

Preconditions

  • authAttacker must have a local unprivileged user account on the system
  • configABRT daemon must be running and accepting D-Bus or socket connections (default configuration)
  • inputAttacker must be able to create a symlink in a directory writable by the ABRT daemon

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.