Vulnerabilities > CVE-2009-1894 - Race Condition vulnerability in Pulseaudio 0.9.10/0.9.14/0.9.9

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
pulseaudio
CWE-362
nessus
exploit available

Summary

Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users to gain privileges via vectors involving creation of a hard link, related to the application setting LD_BIND_NOW to 1, and then calling execv on the target of the /proc/self/exe symlink.

Vulnerable Configurations

Part Description Count
Application
Pulseaudio
3

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Exploit-Db

descriptionPulseAudio setuid Local Privilege Escalation Exploit. CVE-2009-1894. Local exploit for windows platform
idEDB-ID:9207
last seen2016-02-01
modified2009-07-20
published2009-07-20
reporterN/A
sourcehttps://www.exploit-db.com/download/9207/
titlePulseAudio setuid - Local Privilege Escalation Exploit

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-804-1.NASL
    descriptionTavis Ormandy, Julien Tinnes, and Yorick Koster discovered that PulseAudio did not safely re-execute itself. A local attacker could exploit this to gain root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id39851
    published2009-07-17
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/39851
    titleUbuntu 8.04 LTS / 8.10 / 9.04 : pulseaudio vulnerability (USN-804-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-804-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(39851);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:33:02");
    
      script_cve_id("CVE-2009-1894");
      script_xref(name:"USN", value:"804-1");
    
      script_name(english:"Ubuntu 8.04 LTS / 8.10 / 9.04 : pulseaudio vulnerability (USN-804-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Tavis Ormandy, Julien Tinnes, and Yorick Koster discovered that
    PulseAudio did not safely re-execute itself. A local attacker could
    exploit this to gain root privileges.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/804-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(362);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulse-browse0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulse-browse0-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulse-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulse-mainloop-glib0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulse-mainloop-glib0-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulse0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulse0-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulsecore5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulsecore5-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulsecore9");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulsecore9-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-esound-compat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-esound-compat-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-gconf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-gconf-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-hal");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-hal-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-lirc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-lirc-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-x11");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-x11-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-zeroconf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-zeroconf-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-utils-dbg");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.04");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/07/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(8\.04|8\.10|9\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 8.04 / 8.10 / 9.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"8.04", pkgname:"libpulse-browse0", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"libpulse-browse0-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"libpulse-dev", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"libpulse-mainloop-glib0", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"libpulse-mainloop-glib0-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"libpulse0", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"libpulse0-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"libpulsecore5", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"libpulsecore5-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-esound-compat", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-esound-compat-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-gconf", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-gconf-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-hal", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-hal-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-lirc", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-lirc-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-x11", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-x11-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-zeroconf", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-zeroconf-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-utils", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-utils-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"libpulse-browse0", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"libpulse-browse0-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"libpulse-dev", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"libpulse-mainloop-glib0", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"libpulse-mainloop-glib0-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"libpulse0", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"libpulse0-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"libpulsecore5", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"libpulsecore5-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-esound-compat", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-esound-compat-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-gconf", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-gconf-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-hal", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-hal-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-lirc", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-lirc-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-x11", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-x11-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-zeroconf", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-zeroconf-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-utils", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-utils-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"libpulse-browse0", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"libpulse-browse0-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"libpulse-dev", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"libpulse-mainloop-glib0", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"libpulse-mainloop-glib0-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"libpulse0", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"libpulse0-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"libpulsecore9", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"libpulsecore9-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio", pkgver:"1:0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-esound-compat", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-esound-compat-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-gconf", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-gconf-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-hal", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-hal-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-lirc", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-lirc-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-x11", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-x11-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-zeroconf", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-zeroconf-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-utils", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-utils-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libpulse-browse0 / libpulse-browse0-dbg / libpulse-dev / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1838.NASL
    descriptionTavis Ormandy and Julien Tinnes discovered that the pulseaudio daemon does not drop privileges before re-executing itself, enabling local attackers to increase their privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id44703
    published2010-02-24
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/44703
    titleDebian DSA-1838-1 : pulseaudio - privilege escalation
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200907-13.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200907-13 (PulseAudio: Local privilege escalation) Tavis Ormandy and Julien Tinnes of the Google Security Team discovered that the pulseaudio binary is installed setuid root, and does not drop privileges before re-executing itself. The vulnerability has independently been reported to oCERT by Yorick Koster. Impact : A local user who has write access to any directory on the file system containing /usr/bin can exploit this vulnerability using a race condition to execute arbitrary code with root privileges. Workaround : Ensure that the file system holding /usr/bin does not contain directories that are writable for unprivileged users.
    last seen2020-06-01
    modified2020-06-02
    plugin id39848
    published2009-07-17
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/39848
    titleGLSA-200907-13 : PulseAudio: Local privilege escalation
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2009-152.NASL
    descriptionA vulnerability has been found and corrected in pulseaudio : Tavis Ormandy and Julien Tinnes of the Google Security Team discovered that pulseaudio, when installed setuid root, does not drop privileges before re-executing itself to achieve immediate bindings. This can be exploited by a user who has write access to any directory on the file system containing /usr/bin to gain local root access. The user needs to exploit a race condition related to creating a hard link (CVE-2009-1894). This update provides fixes for this vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id39871
    published2009-07-20
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/39871
    titleMandriva Linux Security Advisory : pulseaudio (MDVSA-2009:152)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/94955/gnuc-origin.txt
idPACKETSTORM:94955
last seen2016-12-05
published2010-10-19
reporterTavis Ormandy
sourcehttps://packetstormsecurity.com/files/94955/GNU-C-Library-Dynamic-Linker-ORIGIN-Expansion-Vulnerability.html
titleGNU C Library Dynamic Linker $ORIGIN Expansion Vulnerability

Seebug

  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:70027
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-70027
    titleGNU C library dynamic linker $ORIGIN expansion Vulnerability
  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 35724 CVE(CAN) ID: CVE-2009-1894 Linux Kernel是开放源码操作系统Linux所使用的内核。 Linux Kernel的drivers/net/tun.c文件中的tun_chr_poll()函数存在空指针引用错误: int fd; struct pollfd pfd; fd = open(&quot;/dev/net/tun&quot;, O_RDWR); pfd.fd = fd; pfd.events = POLLIN | POLLOUT; poll(&amp;pfd, 1, 0); 如果用户对tun设备执行了open()和poll()操作,就可以触发这个漏洞,导致崩溃或以root用户权限执行任意指令。成功攻击要求使用GCC的-fdelete-null-pointer-checks优化编译了内核。 Linux kernel 2.6.30 厂商补丁: Linux ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3c8a9c63d5fd738c261bd0ceece04d9c8357ca13
    idSSV:11842
    last seen2017-11-19
    modified2009-07-20
    published2009-07-20
    reporterRoot
    titleLinux Kernel tun_chr_pool()函数空指针引用漏洞