Linux: Beep Command Can Be Used to Probe for the Presence of Sensitive Files

A vulnerability in the "beep" package that comes pre-installed with Debian and Ubuntu distros allows an attacker to probe for the presence of files on a computer, even those owned by root users, which are supposed to be secret and inaccesible.

The vulnerability, tracked as CVE-2018-0492, has been fixed in recent versions of Debian and Ubuntu (Debian-based OS).

Bug can't be used to hack into secure systems

At its core, the bug is a race condition in the beep utility that allows the OS to emit a "beep" sound whenever it is deemed necessary.

Security researchers have discovered a race condition in the beep package that allows an attacker to elevate his code to root-level access.

The vulnerability does not allow someone to remotely hack into Linux systems, but it's an elevation of privilege (EoP) vulnerability that gives them full access to a system, helping attackers transform a compromised user account into a serious intrusion with serious repercussions.

Bug allows EoP, reconnaissance, attack launching

Richard Kettlewell of Terraraq says an attacker could use the beep CVE-2018-0492 vulnerability to "open arbitrary files for write as root, bypassing file permissions," "reveal whether any file exists, even if the file's existence would normally be secret from the calling user," or "reveal information about the file type, even if that would normally be secret from the calling user."

Furthermore, if the attacker probes for specific files, and probing those files produces additional actions, beep can also be used as a launching platform for other commands.

Proof of concept code to exploit the vulnerability has been published online. In the meantime, a dedicated website has also popped up, aggregating info about the bug, now nicknamed "Holey Beep."

The beep package that now ships with Debian and Ubuntu has received fixes, but the original beep repository did not, as this looks to be an abandoned project without any activity in the past few years. All beep versions up to and including beep 1.3.4 are considered vulnerable.

Sebastian Krahmer pointed out the beep fixes are "still wrong," but the Debian and Ubuntu security teams have not provided commentary on his assessment just yet.