Sounds painful: Audio code bug lets users, apps get root on Linux

An advisory from Cisco issued last Friday, October 13th gave us the heads-up on a local privilege escalation vulnerability in the Advanced Linux Sound Architecture (ALSA).

The bug is designated CVE-2017-15265, but its Mitre entry was still marked “reserved” at the time of writing. Cisco, however, had this to say about it before release:

“The vulnerability is due to a use-after-free memory error in the ALSA sequencer interface of the affected application. An attacker could exploit this vulnerability by running a crafted application on a targeted system. A successful exploit could allow the attacker to gain elevated privileges on the targeted system.”

The bug can be potentially exploited by malicious software running on a vulnerable box, or logged-in users, to gain root-level control of the system. A patch for the programming blunder was publicly merged earlier this month into the ALSA git tree, according to this discussion at SUSE's Bugzilla.

Turned up by ADLab of Venustech, the use-after-free vulnerability is triggered by a slip-up in snd_seq_create_port().

That routine “creates a port object and returns its pointer, but it doesn't take the refcount, thus it can be deleted immediately by another thread. Meanwhile, snd_seq_ioctl_create_port() still calls the function snd_seq_system_client_ev_port_start() with the created port object that is being deleted, and this triggers use-after-free”.

While it's only exploitable locally, the privilege escalation is what earned the bug a “high” severity rating, and of course everybody using a downstream distribution that embeds the vulnerable ALSA will have to push patches. ®