FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

seatd-launch -- remove files with escalated privileges with SUID

Affected packages
0.6.0 <= seatd < 0.6.4


VuXML ID 1cd565da-455e-41b7-a5b9-86ad8e81e33e
Discovery 2022-02-21
Entry 2022-02-21
Modified 2022-02-22

Kenny Levinsen reports:

seatd-launch could use a user-specified socket path instead of the internally generated socket path, and would unlink the socket path before use to guard against collision with leftover sockets. This meant that a caller could freely control what file path would be unlinked and replaced with a user-owned seatd socket for the duration of the session.

If seatd-launch had the SUID bit set, this could be used by a malicious user to remove files with the privileges of the owner of seatd-launch, which is likely root, and replace it with a user-owned domain socket.

This does not directly allow retrieving the contents of existing files, and the user-owned socket file is at the current time not believed to be directly useful for further exploitation.


CVE Name CVE-2022-25643