~kennylevinsen/seatd-announce

1

[SECURITY ADVISORY] seatd-launch: remove files with escalated privileges with SUID

Kenny Levinsen <kl@kl.wtf>
Details
Message ID
<ETEO7R.QG8B1KGD531R1@kl.wtf>
DKIM signature
missing
Download raw message
2 years ago 
seatd-launch: remove files with escalated privileges with SUID
==============================================================

This security advisory describes a vulnerability in seatd-launch 
shipped as part of seatd release 0.6.0, 0.6.1, 0.6.2 and 0.6.3. The 
vulnerability was fixed in seatd release 0.6.4.

VULNERABILITY
-------------

seatd-launch could use a user-specified socket path instead of the 
internally generated socket path, and would unlink the socket path 
before use to guard against collision with leftover sockets. This meant 
that a caller could freely control what file path would be unlinked and 
replaced with a user-owned seatd socket for the duration of the session.

If seatd-launch had the SUID bit set, this could be used by a malicious 
user to remove files with the privileges of the owner of seatd-launch, 
which is likely root, and replace it with a user-owned domain socket.

This does not directly allow retrieving the contents of existing files, 
and the user-owned socket file is at the current time not believed to 
be directly useful for further exploitation.

INFO
----

The vulnerability was first introduced in 48727a0b6bc2 when 
implementing command line argument support in seatd-launch.

To be vulnerable, the seatd-launch executable must be installed with 
the SUID bit set. The SUID bit is not set by the build system 
installation process, and must be done by either the package maintainer 
or user.

seatd and libseat are not affected by this vulnerability.

A CVE ID has been requested and will follow when issued.

AFFECTED VERSIONS
-----------------

    Affected: 0.6.0, 0.6.1, 0.6.2, 0.6.3
    Not affected: >= 0.6.4

seatd-launch did not exist prior to 0.6.0.

MITIGATION
----------

seatd 0.6.4 contains a security fix that addresses the vulnerability by 
removing support for user-specified socket paths from seatd-launch.

RECOMMENDATIONS
---------------

    A - Upgrade to version 0.6.4

    B - Remove seatd-launch if installed with the SUID bit set

TIMELINE
--------

    2022-02-21: The vulnerability is discovered by the project authors
    2022-02-21: A fix is released and a security advisory is posted
Kenny Levinsen <kl@kl.wtf>
Details
Message ID
<X69P7R.AHDZGOK6PHKK2@kl.wtf>
In-Reply-To
<ETEO7R.QG8B1KGD531R1@kl.wtf> (view parent)
DKIM signature
missing
Download raw message
2 years ago 
The vulnerability has been assigned CVE-2022-25643.

The CVE data is expected to become public shortly.
Reply to thread Export thread (mbox)