seatd-launch: privilege escalation with SUID
============================================
This security advisory describes a vulnerability in seatd-launch
shipped as part of seatd release 0.6.0 and 0.6.1. The vulnerability was
fixed in seatd release 0.6.2.
VULNERABILITY
-------------
seatd-launch used execlp, which reads the PATH environment variable to
search for the requested executable, to execute seatd. This meant that
the caller could freely control what executable was loaded by adding a
user-writable directory to PATH.
If seatd-launch had the SUID bit set, this could be used by a malicious
user with the ability to execute seatd-launch to mount a privilege
escalation attack to the owner of seatd-launch, which is likely root.
INFO
----
The vulnerability was first introduced in commit 1e98727ae9df when
implementing the seatd-launch executable.
To be vulnerable, the seatd-launch executable must be installed with
the SUID bit set. The SUID bit is not set by build system installation
process, and must be done by either the package maintainer or user.
seatd and libseat are not affected by this vulnerability.
AFFECTED VERSIONS
-----------------
Affected: 0.6.0 and 0.6.1
Not affected: >= 0.6.2
seatd-launch did not exist prior to 0.6.0.
MITIGATION
----------
seatd 0.6.2 contains a security fix that addresses the vulnerability by
hardcoding an absolute path to seatd at compile-time, replacing execlp
with execve. This also avoids environment inheritance as a preventive
measure.
RECOMMENDATIONS
---------------
A - Upgrade to version 0.6.2
B - Remove seatd-launch if installed with SUID bit set
TIMELINE
--------
2021-09-15: The vulnerability is discovered by the project authors
2021-09-16: A fix is relased and a security advisory is posted
2021-09-16: This less ugly advisory without messed up hardwrapping
is posted