openSUSE Tumbleweed usbmuxd Path Traversal Vulnerability Allowing Local Privilege Escalation

A path traversal vulnerability has been identified in usbmuxd, a socket daemon that multiplexes connections to and from iOS devices. This vulnerability allows unprivileged local users to escalate privileges to the service user by sending a crafted 'SavePairRecord' message through the daemon's world-writable UNIX socket. The issue affects usbmuxd versions prior to the commit 3ded00c9985a5108cfc7591a309f9a23d57a8cba.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing local users to execute actions with elevated rights as the usbmux user.

Reproduction

The vulnerability can be reproduced by sending a specially crafted 'SavePairRecord' message to the usbmuxd daemon's UNIX socket located at '/var/run/usbmuxd'. This message must include a relative path in the 'PairRecordID' field, which the daemon does not properly validate. Once the message is received, usbmuxd will create or overwrite a file named '../foobar.plist' in the user's config directory, effectively allowing the user to manipulate files as the usbmux service user. If the timing is right, it may also be possible to overwrite files with other extensions, not just '.plist' files.

Remediation

The upstream fix for this vulnerability has been applied in the official usbmuxd repository. Users should update to the latest version available in the openSUSE Tumbleweed repository.