[Pkg-pulseaudio-devel] Bug#537351: pulsaudio: CVE-2009-1894 race allows privilege escalation to root

Fri Jul 17 11:56:11 UTC 2009

Source: pulseaudio
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for pulseaudio.

CVE-2009-1894[0]:
| Race condition
| 
| If the PulseAudio binary is started on Linux systems, it checks if the
| LD_BIND_NOW environment variable is set. If this is not the case, PulseAudio
| will set the variable and it will reload itself. It tries to determine its path
| name by looking at the /proc/self/exe symbolic link. This symbolic link will
| point to the full path name of the current process.
| 
| int main(int argc, char *argv[]) {
| [...]
| #if defined(__linux__) && defined(__OPTIMIZE__)
|    /*
|       Disable lazy relocations to make usage of external libraries
|       more deterministic for our RT threads. We abuse __OPTIMIZE__ as
|       a check whether we are a debug build or not.
|    */
|    
|    if (!getenv("LD_BIND_NOW")) {
|       char *rp;
|    
|       /* We have to execute ourselves, because the libc caches the
|       * value of $LD_BIND_NOW on initialization. */
|    
|       pa_set_env("LD_BIND_NOW", "1");
|       pa_assert_se(rp = pa_readlink("/proc/self/exe"));
|       pa_assert_se(execv(rp, argv) == 0);
|    }
| #endif
| 
| Normally, /proc/self/exe will point to something like /usr/bin/pulseaudio.
| However by using hard links, it is possible to cause /proc/self/exe to point to
| a different location.
| 
| $ cd /tmp
| $ ls -la /proc/self/exe
| lrwxrwxrwx 1 yorick yorick 0 2009-06-09 16:31 /proc/self/exe -> /bin/ls
| $ ln `which ls` ls
| $ ./ls -la /proc/self/exe
| lrwxrwxrwx 1 yorick yorick 0 2009-06-09 16:31 /proc/self/exe -> /tmp/ls
| 
| In addition, if a hard link is created, the SUID bit is preserved.
| 
| $ ln `which pulseaudio` pulseaudio
| $ ls -la pulseaudio 
| -rwsr-xr-x 2 root root 71616 2009-04-09 02:12 pulseaudio
| 
| A race condition exists in the reload mechanism of PulseAudio. An attacker
| can exploit this issue by creating a hard link pointing to the PulseAudio
| binary. After this it can execute this binary through the hard link. At this
| moment /proc/sef/exe will point to the hard link. Before PulseAudio is
| restarted, the attacker can replace the hard link with a different (executable)
| file or (symbolic) link. If PulseAudio is restarted, it will use a path name
| that at this moment points to a different file, for example a command shell.
| Root privileges are not dropped when PulseAudio is reloading, thus allowing a
| local attacker to gain root privileges.
| 
| Please note, this attack is only possible if the attacker can create hard
| links on the same hard disk partition on which PulseAudio is installed (i.e.
| /usr/bin and /tmp reside on the same partition).

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Patch available at http://git.0pointer.de/?p=pulseaudio.git;a=commitdiff_plain;h=84200b423ebfa7e2dad9b1b65f64eac7bf3d2114;hp=ff252cb48d9bd827d262eb2633fecaff47c6fe5c

For further information see:

[0] http://www.akitasecurity.nl/advisory.php?id=AK20090602
    http://security-tracker.debian.net/tracker/CVE-2009-1894

-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-pulseaudio-devel/attachments/20090717/99bc0c3e/attachment-0001.pgp>