seatd-launch: privilege escalation with SUID ============================================ This security advisory describes a vulnerability in seatd-launch shipped as part of seatd release 0.6.0 and 0.6.1. The vulnerability was fixed in seatd release 0.6.2. VULNERABILITY ------------- seatd-launch used execlp, which reads the PATH environment variable to search for the requested executable, to execute seatd. This meant that the caller could freely control what executable was loaded by adding a user-writable directory to PATH. If seatd-launch had the SUID bit set, this could be used by a malicious user with the ability to execute seatd-launch to mount a privilege escalation attack to the owner of seatd-launch, which is likely root. INFO ---- The vulnerability was first introduced in commit 1e98727ae9df when implementing the seatd-launch executable. To be vulnerable, the seatd-launch executable must be installed with the SUID bit set. The SUID bit is not set by build system installation process, and must be done by either the package maintainer or user. seatd and libseat are not affected by this vulnerability. AFFECTED VERSIONS ----------------- Affected: 0.6.0 and 0.6.1 Not affected: >= 0.6.2 seatd-launch did not exist prior to 0.6.0. MITIGATION ---------- seatd 0.6.2 contains a security fix that addresses the vulnerability by hardcoding an absolute path to seatd at compile-time, replacing execlp with execve. This also avoids environment inheritance as a preventive measure. RECOMMENDATIONS --------------- A - Upgrade to version 0.6.2 B - Remove seatd-launch if installed with SUID bit set TIMELINE -------- 2021-09-15: The vulnerability is discovered by the project authors 2021-09-16: A fix is relased and a security advisory is posted 2021-09-16: This less ugly advisory without messed up hardwrapping is posted
This vulnerability has been assigned CVE-2021-41387.
On Friday, September 17th, 2021 at 23:15, Simon Ser <firstname.lastname@example.org> wrote: > This vulnerability has been assigned CVE-2021-41387. The CVE has been populated and is now published: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41387