Vulnerabilities > CVE-2009-1894 - Race Condition vulnerability in Pulseaudio 0.9.10/0.9.14/0.9.9
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users to gain privileges via vectors involving creation of a hard link, related to the application setting LD_BIND_NOW to 1, and then calling execv on the target of the /proc/self/exe symlink.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 3 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Exploit-Db
description | PulseAudio setuid Local Privilege Escalation Exploit. CVE-2009-1894. Local exploit for windows platform |
id | EDB-ID:9207 |
last seen | 2016-02-01 |
modified | 2009-07-20 |
published | 2009-07-20 |
reporter | N/A |
source | https://www.exploit-db.com/download/9207/ |
title | PulseAudio setuid - Local Privilege Escalation Exploit |
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-804-1.NASL description Tavis Ormandy, Julien Tinnes, and Yorick Koster discovered that PulseAudio did not safely re-execute itself. A local attacker could exploit this to gain root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 39851 published 2009-07-17 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/39851 title Ubuntu 8.04 LTS / 8.10 / 9.04 : pulseaudio vulnerability (USN-804-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-804-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(39851); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:33:02"); script_cve_id("CVE-2009-1894"); script_xref(name:"USN", value:"804-1"); script_name(english:"Ubuntu 8.04 LTS / 8.10 / 9.04 : pulseaudio vulnerability (USN-804-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "Tavis Ormandy, Julien Tinnes, and Yorick Koster discovered that PulseAudio did not safely re-execute itself. A local attacker could exploit this to gain root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/804-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(362); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulse-browse0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulse-browse0-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulse-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulse-mainloop-glib0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulse-mainloop-glib0-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulse0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulse0-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulsecore5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulsecore5-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulsecore9"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpulsecore9-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-esound-compat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-esound-compat-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-gconf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-gconf-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-hal"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-hal-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-lirc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-lirc-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-x11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-x11-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-zeroconf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-zeroconf-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-utils-dbg"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.04"); script_set_attribute(attribute:"patch_publication_date", value:"2009/07/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(8\.04|8\.10|9\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 8.04 / 8.10 / 9.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"8.04", pkgname:"libpulse-browse0", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libpulse-browse0-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libpulse-dev", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libpulse-mainloop-glib0", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libpulse-mainloop-glib0-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libpulse0", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libpulse0-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libpulsecore5", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libpulsecore5-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-esound-compat", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-esound-compat-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-gconf", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-gconf-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-hal", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-hal-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-lirc", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-lirc-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-x11", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-x11-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-zeroconf", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-module-zeroconf-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-utils", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"pulseaudio-utils-dbg", pkgver:"0.9.10-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libpulse-browse0", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libpulse-browse0-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libpulse-dev", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libpulse-mainloop-glib0", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libpulse-mainloop-glib0-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libpulse0", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libpulse0-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libpulsecore5", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libpulsecore5-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-esound-compat", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-esound-compat-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-gconf", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-gconf-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-hal", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-hal-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-lirc", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-lirc-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-x11", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-x11-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-zeroconf", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-module-zeroconf-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-utils", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"pulseaudio-utils-dbg", pkgver:"0.9.10-2ubuntu9.4")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libpulse-browse0", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libpulse-browse0-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libpulse-dev", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libpulse-mainloop-glib0", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libpulse-mainloop-glib0-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libpulse0", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libpulse0-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libpulsecore9", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libpulsecore9-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio", pkgver:"1:0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-esound-compat", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-esound-compat-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-gconf", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-gconf-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-hal", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-hal-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-lirc", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-lirc-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-x11", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-x11-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-zeroconf", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-module-zeroconf-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-utils", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"pulseaudio-utils-dbg", pkgver:"0.9.14-0ubuntu20.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libpulse-browse0 / libpulse-browse0-dbg / libpulse-dev / etc"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1838.NASL description Tavis Ormandy and Julien Tinnes discovered that the pulseaudio daemon does not drop privileges before re-executing itself, enabling local attackers to increase their privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 44703 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44703 title Debian DSA-1838-1 : pulseaudio - privilege escalation NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200907-13.NASL description The remote host is affected by the vulnerability described in GLSA-200907-13 (PulseAudio: Local privilege escalation) Tavis Ormandy and Julien Tinnes of the Google Security Team discovered that the pulseaudio binary is installed setuid root, and does not drop privileges before re-executing itself. The vulnerability has independently been reported to oCERT by Yorick Koster. Impact : A local user who has write access to any directory on the file system containing /usr/bin can exploit this vulnerability using a race condition to execute arbitrary code with root privileges. Workaround : Ensure that the file system holding /usr/bin does not contain directories that are writable for unprivileged users. last seen 2020-06-01 modified 2020-06-02 plugin id 39848 published 2009-07-17 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39848 title GLSA-200907-13 : PulseAudio: Local privilege escalation NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-152.NASL description A vulnerability has been found and corrected in pulseaudio : Tavis Ormandy and Julien Tinnes of the Google Security Team discovered that pulseaudio, when installed setuid root, does not drop privileges before re-executing itself to achieve immediate bindings. This can be exploited by a user who has write access to any directory on the file system containing /usr/bin to gain local root access. The user needs to exploit a race condition related to creating a hard link (CVE-2009-1894). This update provides fixes for this vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 39871 published 2009-07-20 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39871 title Mandriva Linux Security Advisory : pulseaudio (MDVSA-2009:152)
Packetstorm
data source | https://packetstormsecurity.com/files/download/94955/gnuc-origin.txt |
id | PACKETSTORM:94955 |
last seen | 2016-12-05 |
published | 2010-10-19 |
reporter | Tavis Ormandy |
source | https://packetstormsecurity.com/files/94955/GNU-C-Library-Dynamic-Linker-ORIGIN-Expansion-Vulnerability.html |
title | GNU C Library Dynamic Linker $ORIGIN Expansion Vulnerability |
Seebug
bulletinFamily exploit description No description provided by source. id SSV:70027 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-70027 title GNU C library dynamic linker $ORIGIN expansion Vulnerability bulletinFamily exploit description BUGTRAQ ID: 35724 CVE(CAN) ID: CVE-2009-1894 Linux Kernel是开放源码操作系统Linux所使用的内核。 Linux Kernel的drivers/net/tun.c文件中的tun_chr_poll()函数存在空指针引用错误: int fd; struct pollfd pfd; fd = open("/dev/net/tun", O_RDWR); pfd.fd = fd; pfd.events = POLLIN | POLLOUT; poll(&pfd, 1, 0); 如果用户对tun设备执行了open()和poll()操作,就可以触发这个漏洞,导致崩溃或以root用户权限执行任意指令。成功攻击要求使用GCC的-fdelete-null-pointer-checks优化编译了内核。 Linux kernel 2.6.30 厂商补丁: Linux ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3c8a9c63d5fd738c261bd0ceece04d9c8357ca13 id SSV:11842 last seen 2017-11-19 modified 2009-07-20 published 2009-07-20 reporter Root title Linux Kernel tun_chr_pool()函数空指针引用漏洞
References
- http://taviso.decsystem.org/research.html
- https://bugzilla.redhat.com/show_bug.cgi?id=510071
- http://www.ubuntu.com/usn/usn-804-1
- http://security.gentoo.org/glsa/glsa-200907-13.xml
- https://admin.fedoraproject.org/updates/pulseaudio-0.9.10-1.el5.2
- http://www.securityfocus.com/bid/35721
- http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.html
- http://secunia.com/advisories/35868
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:152
- http://secunia.com/advisories/35886
- http://www.debian.org/security/2009/dsa-1838
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:171
- http://secunia.com/advisories/35896
- http://www.akitasecurity.nl/advisory.php?id=AK20090602
- https://exchange.xforce.ibmcloud.com/vulnerabilities/51804
- http://www.securityfocus.com/archive/1/505052/100/0/threaded