Vigil@nce: PulseAudio, privilege elevation
July 2009 by Vigil@nce
A local attacker can use some installations of PulseAudio in order
to obtain root privileges.
Severity: 2/4
Consequences: administrator access/rights
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 17/07/2009
IMPACTED PRODUCTS
– Debian Linux
– Mandriva Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The PulseAudio program is a proxy for audio applications. On some
systems, it is installed suid root.
When it is started, it changes an environment variable, and
automatically restarts. To restart itself, it reads the
/proc/self/exe link in order to know his own file name (for
example /usr/bin/pulseaudio).
However, a local attacker, who can write in the same filesystem
where PulseAudio is installed (for example if /usr/bin and /tmp
are on the same filesystem), can create a hard link from
/proc/self/exe to /usr/bin/pulseaudio, and then replace it by
another program before the restart. This other program is thus run
with root privileges.
A local attacker can therefore use some installations of
PulseAudio in order to obtain root privileges.
CHARACTERISTICS
Identifiers: AK20090602, CVE-2009-1894, DSA 1838-1,
MDVSA-2009:152, VIGILANCE-VUL-8872
http://vigilance.fr/vulnerability/PulseAudio-privilege-elevation-8872