GNOME esound Unix Domain Socket Race Condition Vulnerability
BID:1659
Info
GNOME esound Unix Domain Socket Race Condition Vulnerability
| Bugtraq ID: | 1659 |
| Class: | Race Condition Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Aug 31 2000 12:00AM |
| Updated: | Aug 31 2000 12:00AM |
| Credit: | This vulnerability was disclosed in a FreeBSD Security Advisory dated August 31, 2000. |
| Vulnerable: |
GNOME esound 0.2.19 |
| Not Vulnerable: | |
Discussion
GNOME esound Unix Domain Socket Race Condition Vulnerability
EsounD, part of the GNOME desktop environment, is a server process allowing several applications to share the same sound hardware.
Versions of esound up to and including 0.2.19 create a world-writable directory (/tmp/.esd) which is also used to store a domain socket used by esound.
The unix domain socket is also created world-writeable. A race condition exists when this socket is created such that if an attacker creates a symbolic link in the world-writeable /tmp/.esd directory at the right time, the file pointed to by it will be changed to a world-writeable mode. The target file, of course, would have to be owned by the user running ESound. This vulnerability may have to do with a lack of checking return values when binding the address structure to the domain socket before setting permissions on the file, but this is uncomfirmed as are the exact technical details of this vulnerability.
EsounD, part of the GNOME desktop environment, is a server process allowing several applications to share the same sound hardware.
Versions of esound up to and including 0.2.19 create a world-writable directory (/tmp/.esd) which is also used to store a domain socket used by esound.
The unix domain socket is also created world-writeable. A race condition exists when this socket is created such that if an attacker creates a symbolic link in the world-writeable /tmp/.esd directory at the right time, the file pointed to by it will be changed to a world-writeable mode. The target file, of course, would have to be owned by the user running ESound. This vulnerability may have to do with a lack of checking return values when binding the address structure to the domain socket before setting permissions on the file, but this is uncomfirmed as are the exact technical details of this vulnerability.
Exploit / POC
GNOME esound Unix Domain Socket Race Condition Vulnerability
Kris Kennaway <[email protected]> has provided the following exploit: http://www.securityfocus.com/data/vulnerabilities/exploits/esd2.c
Kris Kennaway <[email protected]> has provided the following exploit: http://www.securityfocus.com/data/vulnerabilities/exploits/esd2.c
Solution / Fix
GNOME esound Unix Domain Socket Race Condition Vulnerability
Solution:
Fixes have been made available for the FreeBSD port of esound. These are available at:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/audio/esound-0.2.19.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/audio/esound-0.2.19.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/audio/esound-0.2.19.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/audio/esound-0.2.19.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/audio/esound-0.2.19.tgz
Red Hat Linux 6.x:
alpha:
ftp://updates.redhat.com/6.2/alpha/esound-0.2.20-0.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/esound-devel-0.2.20-0.alpha.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/esound-0.2.20-0.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/esound-devel-0.2.20-0.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/esound-0.2.20-0.i386.rpm
ftp://updates.redhat.com/6.2/i386/esound-devel-0.2.20-0.i386.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/esound-0.2.20-0.src.rpm
Red Hat Linux 7.0:
i386:
ftp://updates.redhat.com/7.0/i386/esound-0.2.20-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/esound-devel-0.2.20-1.i386.rpm
sources:
ftp://updates.redhat.com/7.0/SRPMS/esound-0.2.20-1.src.rpm
Immunix OS 6.2 Updates:
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/esound-0.2.20-0_StackGuard.i386.rpm
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/esound-devel-0.2.20-0_StackGuard.i386.rpm
SuSE Updates:
i386 Intel Platform:
SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/snd1/esound-0.2.19-15.i386.rpm
9d8addaa5ba29554a727eb34ae5189f4
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/esound-0.2.19-15.src.rpm
a9724b99a96430b1b7c1f741a8e8d528
SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/snd1/esound-0.2.16-75.i386.rpm
6f32f0867d1597a5129d0516438d9cca
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/esound-0.2.16-75.src.rpm
94ca6842981f7a501300d9edfc5cbf73
SuSE-6.3
ftp://ftp.suse.com/pub/suse/i386/update/6.3/snd1/esound-0.2.15-21.i386.rpm
16a5804a2f27e62d73df40d206b047ca
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/esound-0.2.15-21.src.rpm
c86689fd5d9f719135e1263dd5a38832
Sparc Platform:
SuSE-7.0
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/snd1/esound-0.2.19-15.sparc.rpm
112648ef64c351952f832b180fcca23c
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/esound-0.2.19-15.src.rpm
a0bb3e3517ca83c13abd6827a8d2295e
AXP Alpha Platform:
SuSE-6.4
ftp://ftp.suse.com/pub/suse/axp/update/6.4/snd1/esound-0.2.16-75.alpha.rpm
d2efefb21a6424a81e63788d972db49d
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/esound-0.2.16-75.src.rpm
a69ebae320c6f118f4b9e07f2a9af4d2
SuSE-6.3
ftp://ftp.suse.com/pub/suse/axp/update/6.3/snd1/esound-0.2.15-21.alpha.rpm
19942e308eda0c0d505bb64da734ad8d
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/esound-0.2.15-21.src.rpm
6f337d6864111d27fa93ef2bc3cb7b5a
PPC Power PC Platform:
SuSE-7.0
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/snd1/esound-0.2.19-16.ppc.rpm
be6daabfee0e7e629b848814be81d9d0
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/esound-0.2.19-16.src.rpm
c77475b2c8fff104f8662bb9179efb64
SuSE-6.4
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/snd1/esound-0.2.16-75.ppc.rpm
f0e1aa54c3fdf7c6c02b34bedc51ee0f
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/esound-0.2.16-75.src.rpm
9acd25b5521201386bb73bc707382646
Solution:
Fixes have been made available for the FreeBSD port of esound. These are available at:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/audio/esound-0.2.19.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/audio/esound-0.2.19.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/audio/esound-0.2.19.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/audio/esound-0.2.19.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/audio/esound-0.2.19.tgz
Red Hat Linux 6.x:
alpha:
ftp://updates.redhat.com/6.2/alpha/esound-0.2.20-0.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/esound-devel-0.2.20-0.alpha.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/esound-0.2.20-0.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/esound-devel-0.2.20-0.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/esound-0.2.20-0.i386.rpm
ftp://updates.redhat.com/6.2/i386/esound-devel-0.2.20-0.i386.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/esound-0.2.20-0.src.rpm
Red Hat Linux 7.0:
i386:
ftp://updates.redhat.com/7.0/i386/esound-0.2.20-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/esound-devel-0.2.20-1.i386.rpm
sources:
ftp://updates.redhat.com/7.0/SRPMS/esound-0.2.20-1.src.rpm
Immunix OS 6.2 Updates:
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/esound-0.2.20-0_StackGuard.i386.rpm
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/esound-devel-0.2.20-0_StackGuard.i386.rpm
SuSE Updates:
i386 Intel Platform:
SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/snd1/esound-0.2.19-15.i386.rpm
9d8addaa5ba29554a727eb34ae5189f4
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/esound-0.2.19-15.src.rpm
a9724b99a96430b1b7c1f741a8e8d528
SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/snd1/esound-0.2.16-75.i386.rpm
6f32f0867d1597a5129d0516438d9cca
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/esound-0.2.16-75.src.rpm
94ca6842981f7a501300d9edfc5cbf73
SuSE-6.3
ftp://ftp.suse.com/pub/suse/i386/update/6.3/snd1/esound-0.2.15-21.i386.rpm
16a5804a2f27e62d73df40d206b047ca
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/esound-0.2.15-21.src.rpm
c86689fd5d9f719135e1263dd5a38832
Sparc Platform:
SuSE-7.0
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/snd1/esound-0.2.19-15.sparc.rpm
112648ef64c351952f832b180fcca23c
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/esound-0.2.19-15.src.rpm
a0bb3e3517ca83c13abd6827a8d2295e
AXP Alpha Platform:
SuSE-6.4
ftp://ftp.suse.com/pub/suse/axp/update/6.4/snd1/esound-0.2.16-75.alpha.rpm
d2efefb21a6424a81e63788d972db49d
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/esound-0.2.16-75.src.rpm
a69ebae320c6f118f4b9e07f2a9af4d2
SuSE-6.3
ftp://ftp.suse.com/pub/suse/axp/update/6.3/snd1/esound-0.2.15-21.alpha.rpm
19942e308eda0c0d505bb64da734ad8d
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/esound-0.2.15-21.src.rpm
6f337d6864111d27fa93ef2bc3cb7b5a
PPC Power PC Platform:
SuSE-7.0
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/snd1/esound-0.2.19-16.ppc.rpm
be6daabfee0e7e629b848814be81d9d0
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/esound-0.2.19-16.src.rpm
c77475b2c8fff104f8662bb9179efb64
SuSE-6.4
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/snd1/esound-0.2.16-75.ppc.rpm
f0e1aa54c3fdf7c6c02b34bedc51ee0f
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/esound-0.2.16-75.src.rpm
9acd25b5521201386bb73bc707382646