ID CVE-2006-2916
Summary artswrapper in aRts, when running setuid root on Linux 2.6.0 or later versions, does not check the return value of the setuid function call, which allows local users to gain root privileges by causing setuid to fail, which prevents artsd from dropping privileges.
References
Vulnerable Configurations
  • cpe:2.3:a:kde:arts:1.0
    cpe:2.3:a:kde:arts:1.0
  • cpe:2.3:a:kde:arts:1.2
    cpe:2.3:a:kde:arts:1.2
CVSS
Base: 6.0 (as of 15-06-2006 - 10:16)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL HIGH SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_11075.NASL
    description The KDE soundserver aRts lacked checks around some setuid() calls. This could be used by a local attacker to gain root privileges. (CVE-2006-2916)
    last seen 2018-11-17
    modified 2018-11-15
    plugin id 41092
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41092
    title SuSE9 Security Update : arts (YOU Patch Number 11075)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200704-22.NASL
    description The remote host is affected by the vulnerability described in GLSA-200704-22 (BEAST: Denial of Service) BEAST, which is installed as setuid root, fails to properly check whether it can drop privileges accordingly if seteuid() fails due to a user exceeding assigned resource limits. Impact : A local user could exceed his resource limit in order to prevent the seteuid() call from succeeding. This may lead BEAST to keep running with root privileges. Then, the local user could use the 'save as' dialog box to overwrite any file on the vulnerable system, potentially leading to a Denial of Service. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 25110
    published 2007-04-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25110
    title GLSA-200704-22 : BEAST: Denial of Service
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2006-178-03.NASL
    description New aRts packages are available for Slackware 10.0, 10.1, 10.2, and -current to fix a possible security issue with artswrapper. The artswrapper program and the artsd daemon can be used to gain root privileges if artswrapper is setuid root and the system is running a 2.6.x kernel. Note that artswrapper is not setuid root on Slackware by default. Some people have recommended setting it that way online though, so it's at least worth warning about. It's far safer to just add users to the audio group. The official KDE security advisory may be found here: http://www.kde.org/info/security/advisory-20060614-2.txt
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 21767
    published 2006-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21767
    title Slackware 10.0 / 10.1 / 10.2 / current : arts (SSA:2006-178-03)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_ARTS-1670.NASL
    description The KDE soundserver aRts lacked checks around some setuid() calls. This could potentially be used by a local attacker to gain root privileges. (CVE-2006-2916)
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27154
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27154
    title openSUSE 10 Security Update : arts (arts-1670)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-107.NASL
    description A vulnerability in the artswrapper program, when installed setuid root, could enable a local user to elevate their privileges to that of root. By default, Mandriva Linux does not ship artswrapper setuid root, however if a user or system administrator enables the setuid bit on artswrapper, their system could be at risk, The updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 21751
    published 2006-06-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21751
    title Mandrake Linux Security Advisory : arts (MDKSA-2006:107)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200606-22.NASL
    description The remote host is affected by the vulnerability described in GLSA-200606-22 (aRts: Privilege escalation) artswrapper fails to properly check whether it can drop privileges accordingly if setuid() fails due to a user exceeding assigned resource limits. Impact : Local attackers could exploit this vulnerability to execute arbitrary code with elevated privileges. Note that the aRts package provided by Gentoo is only vulnerable if the artswrappersuid USE-flag is enabled. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 21742
    published 2006-06-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21742
    title GLSA-200606-22 : aRts: Privilege escalation
refmap via4
bid
  • 18429
  • 23697
bugtraq 20060615 rPSA-2006-0105-1 arts
confirm
gentoo
  • GLSA-200606-22
  • GLSA-200704-22
mandriva MDKSA-2006:107
mlist [beast] 20061228 ANNOUNCE: BEAST/BSE v0.7.1
osvdb 26506
sectrack 1016298
secunia
  • 20677
  • 20786
  • 20827
  • 20868
  • 20899
  • 25032
  • 25059
slackware SSA:2006-178-03
suse SUSE-SR:2006:015
vupen
  • ADV-2006-2357
  • ADV-2007-0409
xf arts-artwrapper-privilege-escalation(27221)
statements via4
contributor Mark J Cox
lastmodified 2006-08-16
organization Red Hat
statement Not vulnerable. We do not ship aRts as setuid root on Red Hat Enterprise Linux 2.1, 3, or 4.
Last major update 07-03-2011 - 21:37
Published 15-06-2006 - 06:02
Last modified 18-10-2018 - 12:43
Back to Top