GNOME esound Unix域套接字产物竞态条件漏洞

GNOME esound Unix域套接字产物竞态条件漏洞

漏洞ID 1105980 漏洞类型 竞争条件
发布时间 2000-08-31 更新时间 2005-05-02
图片[1]-GNOME esound Unix域套接字产物竞态条件漏洞-安全小百科CVE编号 CVE-2000-0864
图片[2]-GNOME esound Unix域套接字产物竞态条件漏洞-安全小百科CNNVD-ID CNNVD-200011-038
漏洞平台 Unix CVSS评分 6.2
|漏洞来源
https://www.exploit-db.com/exploits/20212
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200011-038
|漏洞详情
GNOMEesound0.2.19及其早期版本中Unix域套接字的产物存在竞态条件漏洞。本地用户借助符号链接攻击改变任意文件和目录的权限,且获取额外的特权。
|漏洞EXP
source: http://www.securityfocus.com/bid/1659/info

EsounD, part of the GNOME desktop environment, is a server process allowing several applications to share the same sound hardware.

Versions of esound up to and including 0.2.19 create a world-writable directory (/tmp/.esd) which is also used to store a domain socket used by esound. 

The unix domain socket is also created world-writeable. A race condition exists when this socket is created such that if an attacker creates a symbolic link in the world-writeable /tmp/.esd directory at the right time, the file pointed to by it will be changed to a world-writeable mode. The target file, of course, would have to be owned by the user running ESound. This vulnerability may have to do with a lack of checking return values when binding the address structure to the domain socket before setting permissions on the file, but this is uncomfirmed as are the exact technical details of this vulnerability.

Patches:

--- esd.h.orig  Thu Jun 29 23:12:53 2000
+++ esd.h       Thu Jun 29 23:12:41 2000
@@ -7,8 +7,15 @@
 #endif

 /* path and name of the default EsounD domain socket */
+#if 0
 #define ESD_UNIX_SOCKET_DIR    "/tmp/.esd"
 #define ESD_UNIX_SOCKET_NAME   ESD_UNIX_SOCKET_DIR ## "/" ## "socket"
+#else
+char *esd_unix_socket_dir(void);
+char *esd_unix_socket_name(void);
+#define ESD_UNIX_SOCKET_DIR    esd_unix_socket_dir()
+#define ESD_UNIX_SOCKET_NAME   esd_unix_socket_name()
+#endif
 
 /* length of the audio buffer size */
 #define ESD_BUF_SIZE (4 * 1024)
--- esd.c.orig  Tue Apr  4 11:20:08 2000
+++ esd.c       Thu Jun 29 23:34:18 2000
@@ -219,12 +219,12 @@
        {       
          mkdir(ESD_UNIX_SOCKET_DIR,
                S_IRUSR|S_IWUSR|S_IXUSR|
-               S_IRGRP|S_IWGRP|S_IXGRP|
-               S_IROTH|S_IWOTH|S_IXOTH);
+               S_IRGRP|S_IXGRP|
+               S_IROTH|S_IXOTH);
          chmod(ESD_UNIX_SOCKET_DIR,
                S_IRUSR|S_IWUSR|S_IXUSR|
-               S_IRGRP|S_IWGRP|S_IXGRP|
-               S_IROTH|S_IWOTH|S_IXOTH);
+               S_IRGRP|S_IXGRP|
+               S_IROTH|S_IXOTH);
        }
       if (access(ESD_UNIX_SOCKET_NAME, R_OK | W_OK) == -1)
        {
@@ -317,9 +317,9 @@
       /* let anyone access esd's socket - but we have authentication so they */
       /* wont get far if they dont have the auth key */
       chmod(ESD_UNIX_SOCKET_NAME, 
-           S_IRUSR|S_IWUSR|S_IXUSR|
-           S_IRGRP|S_IWGRP|S_IXGRP|
-           S_IROTH|S_IWOTH|S_IXOTH);
+           S_IRUSR|S_IWUSR|
+           S_IRGRP|
+           S_IROTH);
    }
     if (listen(socket_listen,16)<0)
     {

--- esdlib.c.orig       Thu Jun 29 23:31:04 2000
+++ esdlib.c    Thu Jun 29 23:31:21 2000
@@ -19,6 +19,8 @@
 #include <arpa/inet.h>
 #include <errno.h>
 #include <sys/wait.h>
+#include <pwd.h>
+#include <limits.h>
 
 #include <sys/un.h>
 
@@ -1421,4 +1423,34 @@
     */
 
     return close( esd );
+}
+
+char *
+esd_unix_socket_dir(void) {
+       static char *sockdir = NULL, sockdirbuf[PATH_MAX];
+       struct passwd *pw;
+
+       if (sockdir != NULL)
+               return (sockdir);
+       pw = getpwuid(getuid());
+       if (pw == NULL || pw->pw_dir == NULL) {
+               fprintf(stderr, "esd: could not find home directoryn");
+               exit(1);
+       }
+       snprintf(sockdirbuf, sizeof(sockdirbuf), "%s/.esd", pw->pw_dir);
+       endpwent();
+       sockdir = sockdirbuf;
+       return (sockdir);
+}
+
+char *
+esd_unix_socket_name(void) {
+       static char *sockname = NULL, socknamebuf[PATH_MAX];
+
+       if (sockname != NULL)
+               return (sockname);
+       snprintf(socknamebuf, sizeof(socknamebuf), "%s/socket",
+           esd_unix_socket_dir());
+       sockname = socknamebuf;
+       return (sockname);
 }

While we're there, the build process also uses an insecure tempfile on
non-FreeBSD platforms. Patch:

--- ltmain.sh.orig      Thu Jun 29 23:41:49 2000
+++ ltmain.sh   Thu Jun 29 23:45:36 2000
@@ -3227,7 +3227,7 @@
          outputname=
          if test "$fast_install" = no && test -n "$relink_command"; then
            if test "$finalize" = yes; then
-             outputname="/tmp/$$-$file"
+             outputname=$(mktemp "${TMPDIR:-/tmp}/$file.XXXXXX") || exit $?
              # Replace the output file specification.
              relink_command=`$echo "X$relink_command" | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g'`
|参考资料

来源:BID
名称:1659
链接:http://www.securityfocus.com/bid/1659
来源:REDHAT
名称:RHSA-2000:077
链接:http://www.redhat.com/support/errata/RHSA-2000-077.html
来源:SUSE
名称:20001012esounddaemonracecondition
链接:http://www.novell.com/linux/security/advisories/esound_daemon_race_condition.html
来源:DEBIAN
名称:20001008esound:racecondition
链接:http://www.debian.org/security/2000/20001008
来源:FREEBSD
名称:FreeBSD-SA-00:45
链接:http://archives.neohapsis.com/archives/freebsd/2000-08/0365.html
来源:BUGTRAQ
名称:20001006ImmunixOSSecurityUpdateforesound
链接:http://archives.neohapsis.com/archives/bugtraq/2000-10/0118.html
来源:BUGTRAQ
名称:20000911Patchforesound-0.2.19
链接:http://archives.neohapsis.com/archives/bugtraq/2000-09/0095.html

相关推荐: FreeBSD libedit “.editrc” from Current Directory Vulnerability

FreeBSD libedit “.editrc” from Current Directory Vulnerability 漏洞ID 1104021 漏洞类型 Origin Validation Error 发布时间 2000-07-05 更新时间 2000…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享