漏洞信息详情
PulseAudio setuid本地权限提升漏洞
- CNNVD编号:CNNVD-200907-280
- 危害等级: 中危
- CVE编号: CVE-2009-1894
- 漏洞类型: 竞争条件
- 发布时间: 2009-07-17
- 威胁类型: 本地
- 更新时间: 2009-08-12
- 厂 商: pulseaudio
- 漏洞来源: Tavis Ormandy tavi...
漏洞简介
PulseAudio是POSIX和Win32系统上所使用的声音服务器 。
在Linux系统上启用PulseAudio二进制程序后,PulseAudio会检查是否设置了LD_BIND_NOW环境变量,如果没有设置PulseAudio会设置这个变量并自行重载。PulseAudio通过查看/proc/self/exe符号链接来判断其路径名,这个符号链接指向当前进程的完整路径名。
PulseAudio的重载机制中存在竞争条件。攻击者可以通过创建指向PulseAudio二进制程序的硬链接来利用这个漏洞,之后在通过硬链接执行这个二进制程序的时候/proc/sef/exe会指向硬链接。在重启PulseAudio之前,攻击者可以用不同的文件或链接来替换硬链接,重启后PulseAudio就使用指向不同文件(如命令shell)的路径名。由于在重启的时候没有丢弃root用户权限,因此本地攻击者可以获得root用户权限 。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
MandrakeSoft Linux Mandrake 2008.1 x86_64
Mandriva lib64pulseaudio-devel-0.9.9-7.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/
Mandriva lib64pulseaudio0-0.9.9-7.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/
Mandriva lib64pulsecore5-0.9.9-7.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/
Mandriva lib64pulseglib20-0.9.9-7.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/
Mandriva lib64pulsezeroconf0-0.9.9-7.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/
Mandriva pulseaudio-0.9.9-7.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/
Mandriva pulseaudio-esound-compat-0.9.9-7.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/
Mandriva pulseaudio-module-bluetooth-0.9.9-7.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/
Mandriva pulseaudio-module-gconf-0.9.9-7.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/
Mandriva pulseaudio-module-jack-0.9.9-7.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/
Mandriva pulseaudio-module-lirc-0.9.9-7.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/
Mandriva pulseaudio-module-x11-0.9.9-7.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/
Mandriva pulseaudio-module-zeroconf-0.9.9-7.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/
Mandriva pulseaudio-utils-0.9.9-7.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/
MandrakeSoft Linux Mandrake 2008.1
Mandriva libpulseaudio-devel-0.9.9-7.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/
Mandriva libpulseaudio0-0.9.9-7.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/
Mandriva libpulsecore5-0.9.9-7.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/
Mandriva libpulseglib20-0.9.9-7.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/
Mandriva libpulsezeroconf0-0.9.9-7.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/
Mandriva pulseaudio-0.9.9-7.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/
Mandriva pulseaudio-esound-compat-0.9.9-7.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/
Mandriva pulseaudio-module-bluetooth-0.9.9-7.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/
Mandriva pulseaudio-module-gconf-0.9.9-7.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/
Mandriva pulseaudio-module-jack-0.9.9-7.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/
Mandriva pulseaudio-module-lirc-0.9.9-7.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/
Mandriva pulseaudio-module-x11-0.9.9-7.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/
Mandriva pulseaudio-module-zeroconf-0.9.9-7.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/
Mandriva pulseaudio-utils-0.9.9-7.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/
Debian Linux 5.0 ia-64
Debian libpulse-browse0-dbg_0.9.10-3+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-bro wse0-dbg_0.9.10-3+lenny1_ia64.deb
Debian libpulse-browse0_0.9.10-3+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-bro wse0_0.9.10-3+lenny1_ia64.deb
Debian libpulse-dev_0.9.10-3+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-dev _0.9.10-3+lenny1_ia64.deb
Debian libpulse-mainloop-glib0-dbg_0.9.10-3+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mai nloop-glib0-dbg_0.9.10-3+lenny1_ia64.deb
Debian libpulse-mainloop-glib0_0.9.10-3+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mai nloop-glib0_0.9.10-3+lenny1_ia64.deb
Debian libpulse0-dbg_0.9.10-3+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0-db g_0.9.10-3+lenny1_ia64.deb
Debian libpulse0_0.9.10-3+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0_0. 9.10-3+lenny1_ia64.deb
Debian libpulsecore5-dbg_0.9.10-3+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore 5-dbg_0.9.10-3+lenny1_ia6
参考网址
来源: bugzilla.redhat.com
链接:https://bugzilla.redhat.com/show_bug.cgi?id=510071
来源: BID
名称: 35721
链接:http://www.securityfocus.com/bid/35721
来源: admin.fedoraproject.org
链接:https://admin.fedoraproject.org/updates/pulseaudio-0.9.10-1.el5.2
来源: XF
名称: pulseaudio-suid-privilege-escalation(51804)
链接:http://xforce.iss.net/xforce/xfdb/51804
来源: UBUNTU
名称: USN-804-1
链接:http://www.ubuntu.com/usn/usn-804-1
来源: BUGTRAQ
名称: 20090717 PulseAudio local race condition privilege escalation vulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/505052/100/0/threaded
来源: MANDRIVA
名称: MDVSA-2009:171
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2009:171
来源: MANDRIVA
名称: MDVSA-2009:152
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2009:152
来源: DEBIAN
名称: DSA-1838
链接:http://www.debian.org/security/2009/dsa-1838
来源: MISC
链接:http://www.akitasecurity.nl/advisory.php?id=AK20090602
来源: MISC
链接:http://taviso.decsystem.org/research.HTML
来源: GENTOO
名称: GLSA-200907-13
链接:http://security.gentoo.org/glsa/glsa-200907-13.xml
来源: SECUNIA
名称: 35896
链接:http://secunia.com/advisories/35896
来源: SECUNIA
名称: 35886
链接:http://secunia.com/advisories/35886
来源: SECUNIA
名称: 35868
链接:http://secunia.com/advisories/35868
来源: MISC
链接:http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.HTML
受影响实体
- Pulseaudio Pulseaudio:0.9.14
- Pulseaudio Pulseaudio:0.9.10
- Pulseaudio Pulseaudio:0.9.9
补丁
暂无
![weinxin](http://zone.ci/zone_ci_images/zone.ci.png)
评论