CVE-2015-3315: ABRT raceabrt Privilege Escalation

Exploitation Summary

EIP tracks 3 public exploits for CVE-2015-3315. PoCs published by Metasploit, Tavis Ormandy, Tavis Ormandy, bcoles, including Metasploit module exploits/linux/local/abrt_raceabrt_priv_esc.

AI-analyzed exploit summary This Metasploit module exploits a race condition in ABRT (CVE-2015-3315) to escalate privileges by changing ownership of /etc/passwd and adding a new root user. It uses a symlink attack on '/var/tmp/abrt/*/maps' to achieve this.

Description

Automatic Bug Reporting Tool (ABRT) allows local users to read, change the ownership of, or have other unspecified impact on arbitrary files via a symlink attack on (1) /var/tmp/abrt/*/maps, (2) /tmp/jvm-*/hs_error.log, (3) /proc/*/exe, (4) /etc/os-release in a chroot, or (5) an unspecified root directory related to librpm.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocallinux

https://www.exploit-db.com/exploits/44097

View Code ZIP pw:eip

This Metasploit module exploits a race condition in ABRT (CVE-2015-3315) to escalate privileges by changing ownership of /etc/passwd and adding a new root user. It uses a symlink attack on '/var/tmp/abrt/*/maps' to achieve this.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: ABRT (Automatic Bug Reporting Tool) versions 2.1.5-1.fc19, 2.2.1-1.fc19, 2.2.2-2.fc20

No auth needed

Prerequisites: Local access to a vulnerable Fedora system with ABRT configured as the crash handler · Write permissions in a directory (default: /tmp) · /etc/passwd not being immutable

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1134.001 - Token Impersonation/Theft

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Tavis Ormandy · clocallinux

https://www.exploit-db.com/exploits/36747

View Code ZIP pw:eip

This exploit leverages a race condition in ABRT (Automatic Bug Reporting Tool) on Fedora 21 to gain ownership of arbitrary files by manipulating symlinks during crash report generation. It uses inotify to monitor ABRT's temporary directory and attempts to replace the 'maps' file with a symlink to the target file.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: ABRT on Fedora 21

No auth needed

Prerequisites: Local access to a vulnerable Fedora 21 system · ABRT service running

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Tavis Ormandy, bcoles · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb

View Code ZIP pw:eip

This Metasploit module exploits a race condition in ABRT (CVE-2015-3315) to escalate privileges by changing ownership of /etc/passwd and adding a new root user. It uses a symlink attack on /var/tmp/abrt/*/maps to achieve this.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: ABRT (Automatic Bug Reporting Tool) versions 2.1.5-1.fc19, 2.1.11-12.el7, 2.2.1-1.fc19, 2.2.2-2.fc20, 2.3.0-3.fc21

No auth needed

Prerequisites: Local access to a vulnerable Linux system with ABRT configured as the crash handler · ABRT service (abrt-ccpp) running · Write access to a directory (default: /tmp)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1222 - File and Directory Permissions Modification

devstral-2 · analyzed Feb 16, 2026 Full analysis →