FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

seatd-launch -- privilege escalation with SUID

Affected packages
0.6.0 <= seatd < 0.6.2

Details

VuXML ID 49c35943-0eeb-421c-af4f-78e04582e5fb
Discovery 2021-09-15
Entry 2021-09-16
Modified 2021-09-18

Kenny Levinsen reports:

seatd-launch used execlp, which reads the PATH environment variable to search for the requested executable, to execute seatd. This meant that the caller could freely control what executable was loaded by adding a user-writable directory to PATH.

If seatd-launch had the SUID bit set, this could be used by a malicious user with the ability to execute seatd-launch to mount a privilege escalation attack to the owner of seatd-launch, which is likely root.

References

CVE Name CVE-2021-41387
URL https://lists.sr.ht/~kennylevinsen/seatd-announce/%3CGJ2IZQ.HCKS1J0LSI803%40kl.wtf%3E