CVE-2015-5287: ABRT sosreport Privilege Escalation

Exploitation Summary

EIP tracks 4 public exploits for CVE-2015-5287. PoCs published by Metasploit, rebel, rebel, bcoles, including Metasploit module exploits/linux/local/abrt_sosreport_priv_esc.

AI-analyzed exploit summary This Metasploit module exploits CVE-2015-5287, a privilege escalation vulnerability in ABRT's sosreport on RHEL systems. It uses a symlink attack to overwrite the modprobe path, achieving root privileges.

Description

The abrt-hook-ccpp help program in Automatic Bug Reporting Tool (ABRT) before 2.7.1 allows local users with certain permissions to gain privileges via a symlink attack on a file with a predictable name, as demonstrated by /var/tmp/abrt/abrt-hax-coredump or /var/spool/abrt/abrt-hax-coredump.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocallinux

https://www.exploit-db.com/exploits/47421

View Code ZIP pw:eip

This Metasploit module exploits CVE-2015-5287, a privilege escalation vulnerability in ABRT's sosreport on RHEL systems. It uses a symlink attack to overwrite the modprobe path, achieving root privileges.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: ABRT (Automatic Bug Reporting Tool) versions < 2.1.11-35.el7 on RHEL 7.x

No auth needed

Prerequisites: ABRT configured as crash handler · abrt-ccpp service running · Python installed · Vulnerable ABRT version

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1200 - Hardware Additions

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by rebel · pythonlocalmultiple

https://www.exploit-db.com/exploits/38835

View Code ZIP pw:eip

This exploit leverages CVE-2015-5287 and CVE-2015-5273 to achieve local privilege escalation on CentOS 7.1/Fedora 22 by abusing insecure file operations in abrt-hook-ccpp and abrt-action-install-debuginfo. It manipulates symbolic links and coredump handling to overwrite /proc/sys/kernel/modprobe, leading to root shell execution.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: abrt (Automatic Bug Reporting Tool) on CentOS 7.1/Fedora 22

No auth needed

Prerequisites: Local access to the target system · abrt installed and running · Python interpreter

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by rebel · pythonlocallinux

https://www.exploit-db.com/exploits/38832

View Code ZIP pw:eip

This exploit leverages a race condition in abrt/sosreport on RHEL 7.0/7.1 to achieve local privilege escalation by manipulating symbolic links and triggering a modprobe path override. It creates a suid shell to gain root access.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: abrt/sosreport on RHEL 7.0/7.1

Auth required

Prerequisites: Local access to a vulnerable RHEL 7.0/7.1 system · User permissions to execute scripts

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by rebel, bcoles · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/abrt_sosreport_priv_esc.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2015-5287, a privilege escalation vulnerability in ABRT's sosreport on RHEL systems. It uses a symlink attack to overwrite the modprobe path, achieving root privileges.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: ABRT (Automatic Bug Reporting Tool) versions < 2.1.11-35.el7 on RHEL 7.x

No auth needed

Prerequisites: ABRT configured as crash handler · abrt-ccpp service running · Python installed · Vulnerable ABRT version

MITRE ATT&CK