Vulnerabilities > CVE-2018-0492 - Race Condition vulnerability in multiple products
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Johnathan Nightingale beep through 1.3.4, if setuid, has a race condition that allows local privilege escalation.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 12 | |
| OS | 3 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Exploit-Db
| description | GNU Beep 1.3 - 'HoleyBeep' Local Privilege Escalation. CVE-2018-0492. Local exploit for Linux platform |
| file | exploits/linux/local/44452.py |
| id | EDB-ID:44452 |
| last seen | 2018-05-24 |
| modified | 2018-04-06 |
| platform | linux |
| port | |
| published | 2018-04-06 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/44452/ |
| title | GNU Beep 1.3 - 'HoleyBeep' Local Privilege Escalation |
| type | local |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1338.NASL description It was discovered that there was a local privilege escalation vulnerability in beep, an last seen 2020-03-17 modified 2018-04-04 plugin id 108814 published 2018-04-04 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108814 title Debian DLA-1338-1 : beep security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1338-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(108814); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2018-0492"); script_name(english:"Debian DLA-1338-1 : beep security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "It was discovered that there was a local privilege escalation vulnerability in beep, an 'advanced PC speaker beeper'. For Debian 7 'Wheezy', this issue has been fixed in beep version 1.3-3+deb7u1. We recommend that you upgrade your beep packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2018/04/msg00002.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/beep" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected beep, and beep-udeb packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:beep"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:beep-udeb"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"beep", reference:"1.3-3+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"beep-udeb", reference:"1.3-3+deb7u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4163.NASL description It was discovered that a race condition in beep (if configured as setuid via debconf) allows local privilege escalation. last seen 2020-06-01 modified 2020-06-02 plugin id 108789 published 2018-04-03 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108789 title Debian DSA-4163-1 : beep - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4163. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(108789); script_version("1.7"); script_cvs_date("Date: 2019/04/05 23:25:05"); script_cve_id("CVE-2018-0492"); script_xref(name:"DSA", value:"4163"); script_name(english:"Debian DSA-4163-1 : beep - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It was discovered that a race condition in beep (if configured as setuid via debconf) allows local privilege escalation." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/beep" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/beep" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/beep" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2018/dsa-4163" ); script_set_attribute( attribute:"solution", value: "Upgrade the beep packages. For the oldstable distribution (jessie), this problem has been fixed in version 1.3-3+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 1.3-4+deb9u1." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:beep"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"beep", reference:"1.3-3+deb8u1")) flag++; if (deb_check(release:"9.0", prefix:"beep", reference:"1.3-4+deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201805-15.NASL description The remote host is affected by the vulnerability described in GLSA-201805-15 (beep: Local privilege escalation) A race condition, if setuid, was discovered in beep. Impact : A local attacker could escalate privileges. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 110256 published 2018-05-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110256 title GLSA-201805-15 : beep: Local privilege escalation code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201805-15. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(110256); script_version("1.4"); script_cvs_date("Date: 2019/04/05 23:25:06"); script_cve_id("CVE-2018-0492"); script_xref(name:"GLSA", value:"201805-15"); script_name(english:"GLSA-201805-15 : beep: Local privilege escalation"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201805-15 (beep: Local privilege escalation) A race condition, if setuid, was discovered in beep. Impact : A local attacker could escalate privileges. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201805-15" ); script_set_attribute( attribute:"solution", value: "All beep users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=app-misc/beep-1.3-r3'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:beep"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"app-misc/beep", unaffected:make_list("ge 1.3-r3"), vulnerable:make_list("lt 1.3-r3"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "beep"); }
Seebug
| bulletinFamily | exploit |
| description | ### Introduction Back in the old days, people were using the `\a` character to emit a horrible 'beep' sound from their speaker. It was a bit annoying, especially if you wanted more complicated stuff to do 8bits-like musics. That's why [Johnathan Nightingale](https://github.com/johnath/) made the beep software. A very simple and short software to let you fine-tune your beeps as you wish. With the arrival of the X server, things started to be a bit more complicated. For beep to work, the user must either be the superuser or own the current tty. It means that beep will always work for the root user or any local user, but not if it's a non-root remote user. And guess what, any terminal (like xterm) connected to the X server is considered as 'remote', and therefore beep won't work. The solution that most people (and distros) are using is to set the SUID bit. The SUID bit is a special bit that, when set on a binary, launches it with its owner's rights (here root) instead of the normal user (you). This bit is used quite a lot nowadays, mostly for convenience. An example is poweroff: it requires root privileges to work (only the root user can shut down the computer), but that would be overkill on a personal computer. If you were the sysadmin of a company and each user would need to ask you to shut down their computer, it would be annoying. On the other hand, on a server shared among multiple users, the ability for one malicious user to shut down the whole system is a serious security concern. Of course, all SUID programs are potential security holes. Put it on bash, and it's free root-shell for everyone. That's why such programs are heavily reviewed by the community. So one might think that a program like beep, only 375 lines of code, reviewed by a bunch of people, should be safe to install, even with a SUID bit, right? Well, it's not! ### Understanding the code Take a look at the beep source code, available [here](https://github.com/johnath/beep/blob/master/beep.c). The main function sets some signal handlers, parses the arguments, and for each beep requested it calls play_beep(). ``` int main(int argc, char **argv) { /* ... */ signal(SIGINT, handle_signal); signal(SIGTERM, handle_signal); parse_command_line(argc, argv, parms); while(parms) { beep_parms_t *next = parms->next; if(parms->stdin_beep) { /* ... */ } else { play_beep(*parms); } /* Junk each parms struct after playing it */ free(parms); parms = next; } if(console_device) free(console_device); return EXIT_SUCCESS; } ``` On the other hand, play_beep() opens the targeted device, looks for its type and calls do_beep() for each repetitions. ``` void play_beep(beep_parms_t parms) { /* ... */ /* try to snag the console */ if(console_device) console_fd = open(console_device, O_WRONLY); else if((console_fd = open("/dev/tty0", O_WRONLY)) == -1) console_fd = open("/dev/vc/0", O_WRONLY); if(console_fd == -1) { /* ... */ } if (ioctl(console_fd, EVIOCGSND(0)) != -1) console_type = BEEP_TYPE_EVDEV; else console_type = BEEP_TYPE_CONSOLE; /* Beep */ for (i = 0; i < parms.reps; i++) { /* start beep */ do_beep(parms.freq); usleep(1000*parms.length); /* wait... */ do_beep(0); /* stop beep */ if(parms.end_delay || (i+1 < parms.reps)) usleep(1000*parms.delay); /* wait... */ } /* repeat. */ close(console_fd); } ``` `do_beep()` itself is simply calling the correct function to make the sound, depending on the type of the targeted device: ``` void do_beep(int freq) { int period = (freq != 0 ? (int)(CLOCK_TICK_RATE/freq) : freq); if(console_type == BEEP_TYPE_CONSOLE) { if(ioctl(console_fd, KIOCSOUND, period) < 0) { putchar('\a'); perror("ioctl"); } } else { /* BEEP_TYPE_EVDEV */ struct input_event e; e.type = EV_SND; e.code = SND_TONE; e.value = freq; if(write(console_fd, &e, sizeof(struct input_event)) < 0) { putchar('\a'); /* See above */ perror("write"); } } } ``` The signal handler is pretty straightforward: it frees the targeted device (a char *) and, if it was opened, stops the sound by calling do_beep(0). ``` /* If we get interrupted, it would be nice to not leave the speaker beeping in perpetuity. */ void handle_signal(int signum) { if(console_device) free(console_device); switch(signum) { case SIGINT: case SIGTERM: if(console_fd >= 0) { /* Kill the sound, quit gracefully */ do_beep(0); close(console_fd); exit(signum); } else { /* Just quit gracefully */ exit(signum); } } } ``` So, what do we have? The first thing that caught my attention was that if SIGINT and SIGTERM are sent at the same time, there is a risk of double free(). But apart from crashing the program, I couldn't find any useful way to exploit it, as console_device isn't used anywhere after that. So, ideally, what do we want? This write() in do_beep() looks good, right? Would be cool to use it to write in an arbitrary file! But this write is protected by console_type, which must be BEEP_TYPE_EVDEV. console_type is set in play_beep(), depending on the return value of ioctl(). To be considered a BEEP_TYPE_EVDEV, ioctl() must say so. And that's the thing, we can't make ioctl() lie to beep. If the file isn't a device file, ioctl() will fail, device_type will not be BEEP_TYPE_EVDEV and do_beep() will not call write() (it will use ioctl() instead, which is, as far as I know, harmless in this context).` But remember there is also a signal handler, and signals can happen at any time! They are perfect for race conditions. ### The race condition This signal handler calls do_beep(). If we have the good values in console_fd and console_type at that moment, we will be able to write in the targeted file. As signals can be called at any point, we need to find the exact location where both of these variables do not hold their correct values. Remember play_beep()? Here is the code: ``` void play_beep(beep_parms_t parms) { /* ... */ /* try to snag the console */ if(console_device) console_fd = open(console_device, O_WRONLY); else if((console_fd = open("/dev/tty0", O_WRONLY)) == -1) console_fd = open("/dev/vc/0", O_WRONLY); if(console_fd == -1) { /* ... */ } if (ioctl(console_fd, EVIOCGSND(0)) != -1) console_type = BEEP_TYPE_EVDEV; else console_type = BEEP_TYPE_CONSOLE; /* Beep */ for (i = 0; i < parms.reps; i++) { /* start beep */ do_beep(parms.freq); usleep(1000*parms.length); /* wait... */ do_beep(0); /* stop beep */ if(parms.end_delay || (i+1 < parms.reps)) usleep(1000*parms.delay); /* wait... */ } /* repeat. */ close(console_fd); } ``` It is called for each requested beep. If a previous call was successful, console_fd and console_type will still hold their old values. Which means there is a small portion of code (line 285 to 293) where console_fd holds its new value and console_type still holds its old one. This is it. This is our race condition. This is the moment where we want to trigger the signal handler. ### Writing an exploit Writing the exploit wasn't easy. Finding the good timing was a real pain in the ass. The path to the targeted device (console_device) cannot be changed after beep is started. The trick is to make a symlink, first pointing to a valid device, and then to the targeted file. Now that we can write to the targeted file, we need to know what to write. The call made to write is the following one: ``` struct input_event e; e.type = EV_SND; e.code = SND_TONE; e.value = freq; if(write(console_fd, &e, sizeof(struct input_event)) < 0) { putchar('\a'); /* See above */ perror("write"); } ``` The structure struct input_event is defined in linux/input.h as follow: ``` struct input_event { struct timeval time; __u16 type; __u16 code; __s32 value; }; struct timeval { __kernel_time_t tv_sec; /* seconds */ __kernel_suseconds_t tv_usec; /* microseconds */ }; ``` // On my system, sizeof(struct timeval) is 16. The time member is not assigned in beep's source code, and it's the first element of the structure, so its value will be the first bytes of the targeted file after the attack. Maybe we can trick the stack to make it hold the value we want? With a bit of luck and a lot of die-and-retry, I found out that the value of the -l parameter will be placed there, followed by a \0. It's an int, which gives us 4 bytes. 4 bytes that we can write in any existing file. I decided to write /*/x. In a shell-script, it will execute the program (hand-crafted before) /tmp/x. By targetting a file like /etc/profile or /etc/bash/bashrc, we will gain full access of each user logging in. I wrote a small python script, (available [here](https://gist.github.com/Arignir/0b9d45c56551af39969368396e27abe8)), to automate the attack. It basically sets the symlink to /dev/input/event0, starts beep, waits a bit, re-sets the symlink, waits a bit more and signals beep. ``` $ echo 'echo PWND $(whoami)' > /tmp/x $ ./exploit.py /etc/bash/bashrc # Or any shell script Backup made at '/etc/bash/bashrc.bak' Done! $ su PWND root ``` I saw alternatives using cron tasks instead. They look better, as they don't need that root logs in, but I didn't have the time to give them a chance. |
| id | SSV:97221 |
| last seen | 2018-06-08 |
| modified | 2018-04-16 |
| published | 2018-04-16 |
| reporter | Knownsec |
| title | Holey Beep: Linux 提权漏洞分析与利用(CVE-2018-0492) |
References
- https://lists.debian.org/debian-lts-announce/2018/04/msg00002.html
- https://lists.debian.org/debian-security-announce/2018/msg00089.html
- https://security.gentoo.org/glsa/201805-15
- https://security-tracker.debian.org/tracker/CVE-2018-0492
- https://www.debian.org/security/2018/dsa-4163
- https://www.exploit-db.com/exploits/44452/