Vulnerabilities > CVE-2000-0864 - Race Condition vulnerability in Gnome Esound 0.2.19

047910
CVSS 6.2 - MEDIUM
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
high complexity
gnome
CWE-362
nessus
exploit available

Summary

Race condition in the creation of a Unix domain socket in GNOME esound 0.2.19 and earlier allows a local user to change the permissions of arbitrary files and directories, and gain additional privileges, via a symlink attack.

Vulnerable Configurations

Part Description Count
Application
Gnome
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Exploit-Db

descriptionGNOME esound 0.2.19 Unix Domain Socket Race Condition Vulnerability. CVE-2000-0864. Local exploit for unix platform
idEDB-ID:20212
last seen2016-02-02
modified2000-08-31
published2000-08-31
reporterKris Kennaway
sourcehttps://www.exploit-db.com/download/20212/
titleGNOME esound 0.2.19 Unix Domain Socket Race Condition Vulnerability

Nessus

NASL familyMandriva Local Security Checks
NASL idMANDRAKE_MDKSA-2000-051.NASL
descriptionA problem exists with the esound daemon, which is used in GNOME and responsible for multiplexing access to audio devices. Versions of esound prior to and including 0.2.19 create a world-writable directory in /tmp called .esd which is owned by the user running esound. This directory is used to store a unix domain socket. The socket is also created world-writable, so a race condition exists in the creation of this socket which allows a local attacker to cause an arbitrary file or directory owned by the user running esound to become world-writable. This update contains a patch from FreeBSD which creates ~/.esd as the temporary directory to use and makes the unix domain socket read and write only to the user.
last seen2020-06-01
modified2020-06-02
plugin id61841
published2012-09-06
reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/61841
titleMandrake Linux Security Advisory : esound (MDKSA-2000:051)
code
#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Mandrake Linux Security Advisory MDKSA-2000:051. 
# The text itself is copyright (C) Mandriva S.A.
#

include("compat.inc");

if (description)
{
  script_id(61841);
  script_version("1.5");
  script_cvs_date("Date: 2019/08/02 13:32:46");

  script_cve_id("CVE-2000-0864");
  script_xref(name:"MDKSA", value:"2000:051");

  script_name(english:"Mandrake Linux Security Advisory : esound (MDKSA-2000:051)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Mandrake Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A problem exists with the esound daemon, which is used in GNOME and
responsible for multiplexing access to audio devices. Versions of
esound prior to and including 0.2.19 create a world-writable directory
in /tmp called .esd which is owned by the user running esound. This
directory is used to store a unix domain socket. The socket is also
created world-writable, so a race condition exists in the creation of
this socket which allows a local attacker to cause an arbitrary file
or directory owned by the user running esound to become
world-writable. This update contains a patch from FreeBSD which
creates ~/.esd as the temporary directory to use and makes the unix
domain socket read and write only to the user."
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected esound and / or esound-devel packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C");
  script_cwe_id(362);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:esound");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:esound-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:6.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:6.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2000/09/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/06");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc.");
  script_family(english:"Mandriva Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);


flag = 0;
if (rpm_check(release:"MDK6.0", cpu:"i386", reference:"esound-0.2.17-3mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK6.0", cpu:"i386", reference:"esound-devel-0.2.17-3mdk", yank:"mdk")) flag++;

if (rpm_check(release:"MDK6.1", cpu:"i386", reference:"esound-0.2.17-3mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK6.1", cpu:"i386", reference:"esound-devel-0.2.17-3mdk", yank:"mdk")) flag++;

if (rpm_check(release:"MDK7.0", cpu:"i386", reference:"esound-0.2.17-3mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK7.0", cpu:"i386", reference:"esound-devel-0.2.17-3mdk", yank:"mdk")) flag++;

if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"esound-0.2.17-3mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"esound-devel-0.2.17-3mdk", yank:"mdk")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

Redhat

advisories
rhsa
idRHSA-2000:077