Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.2
CVSSv2

CVE-2009-1894

Published: 17/07/2009 Updated: 13/02/2023
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
VMScore: 730
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Pulseaudio

Vulnerability Summary

Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users to gain privileges via vectors involving creation of a hard link, related to the application setting LD_BIND_NOW to 1, and then calling execv on the target of the /proc/self/exe symlink.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

pulseaudio pulseaudio 0.9.10

pulseaudio pulseaudio 0.9.9

pulseaudio pulseaudio 0.9.14

Vendor Advisories

Debian CVElist Bug Report Logs: pulsaudio: CVE-2009-1894 race allows privilege escalation to root
Debian Bug report logs - #537351 pulsaudio: CVE-2009-1894 race allows privilege escalation to root Package: pulseaudio; Maintainer for pulseaudio is Pulseaudio maintenance team <pkg-pulseaudio-devel@listsaliothdebianorg>; Source for pulseaudio is src:pulseaudio (PTS, buildd, popcon) Reported by: Nico Golde <nion@debian ...
Ubuntu Security Notice: pulseaudio vulnerability
Tavis Ormandy, Julien Tinnes, and Yorick Koster discovered that PulseAudio did not safely re-execute itself A local attacker could exploit this to gain root privileges ...

Exploits

Exploit DB: PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Local Privilege Escalation
PulseAudio setuid Local Privilege Escalation Vulnerability wwwsecurityfocuscom/bid/35721 Credit for discovery of bug: Tavis Ormandy, Julien Tinnes and Yorick Koster -- Put files in /tmp/pulseaudio-exp (or change configh) Must be on same fs as the pulseaudio binary Goes faster if you already have a pulseaudio running ? :p Tested wi ...
Exploit DB: PulseAudio setuid - Local Privilege Escalation
#!/bin/bash pulseaudio=`which pulseaudio` workdir="/tmp" #workdir=$HOME id=`which id` shell=`which sh` trap cleanup INT function cleanup() { rm -f $workdir/sh $workdir/shc $workdir/pa_race $workdir/pa_racec rm -rf $workdir/PATMP* } cat > $workdir/pa_racec << __EOF__ #include <stdioh> #include <stdlibh> #include < ...
Exploit DB: GNU C Library Dynamic Linker $ORIGIN Expansion Vulnerability
The GNU C library dynamic linker suffers from an $ORIGIN expansion vulnerability ...

References

CWE-362http://taviso.decsystem.org/research.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=510071http://www.ubuntu.com/usn/usn-804-1http://security.gentoo.org/glsa/glsa-200907-13.xmlhttps://admin.fedoraproject.org/updates/pulseaudio-0.9.10-1.el5.2http://www.securityfocus.com/bid/35721http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.htmlhttp://secunia.com/advisories/35868http://www.mandriva.com/security/advisories?name=MDVSA-2009:152http://secunia.com/advisories/35886http://www.debian.org/security/2009/dsa-1838http://www.mandriva.com/security/advisories?name=MDVSA-2009:171http://secunia.com/advisories/35896http://www.akitasecurity.nl/advisory.php?id=AK20090602https://exchange.xforce.ibmcloud.com/vulnerabilities/51804http://www.securityfocus.com/archive/1/505052/100/0/threadedhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=537351https://usn.ubuntu.com/804-1/https://nvd.nist.govhttps://www.exploit-db.com/exploits/9208/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-3581reflected XSSCVE-2024-26925CVE-2024-27956LFICVE-2024-3607CVE-2024-3107CVE-2024-3295SQL
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook