xorl %eax, %eax

CVE-2009-1894: Pulseaudio Race Condition

with one comment

This is kind of funny. This bug was independently found by at least four different people (at least which I am aware of). Nevertheless, Tavis Ormandy and Julien Tinnes disclosed this on 16 July 2009. Pulseaudio is installed as a SUID root application and a quick look at src/daemon/main.c reveals a nice little bug…

int main(int argc, char *argv[]) {
      ...
#if defined(__linux__) && defined(__OPTIMIZE__)
    /*
       Disable lazy relocations to make usage of external libraries
       more deterministic for our RT threads. We abuse __OPTIMIZE__ as
       a check whether we are a debug build or not.
    */

    if (!getenv("LD_BIND_NOW")) {
        char *rp;

        /* We have to execute ourselves, because the libc caches the
         * value of $LD_BIND_NOW on initialization. */

        putenv(pa_xstrdup("LD_BIND_NOW=1"));
        pa_assert_se(rp = pa_readlink("/proc/self/exe"));
        pa_assert_se(execv(rp, argv) == 0);
    }
#endif

As you can see, when used in Linux it will check LD_BIND_NOW environment variable and if it’s not set it will reload its self by retrieving the pathname of /proc/self/exe using pa_readlink() and then invoking execv() on that file. However, a user can easily create a hardlink of /usr/bin/pulseaudio and consequently completely control pathname which is executed in execv() call.
Further ideas regarding its exploitation can also be read from J. Tinnes’ blog post.

Written by xorl

July 17, 2009 at 00:30

Posted in bugs, linux

One Response

Subscribe to comments with RSS.

  1. As a cute little extra, as already hinted at by Tinnes, using the approach outlined on http://dividead.wordpress.com/2009/07/21/blocking-between-execution-and-main/ should create a perfectly reliable exploit blocking nicely in the race-window.

    dividead

    July 21, 2009 at 16:14


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s