[25643] in bugtraq
QNX
daemon@ATHENA.MIT.EDU (badc0ded@badc0ded.com)
Mon Jun 3 13:34:27 2002
Date: 3 Jun 2002 16:56:21 -0000
Message-ID: <20020603165621.13481.qmail@securityfocus.com>
Content-Type: multipart/mixed; boundary="2078917053-1022047211=:651299"
To: bugtraq@securityfocus.com
From: badc0ded@badc0ded.com
MIME-Version: 1.0
--2078917053-1022047211=:651299
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
--2078917053-1022047211=:651299
Content-Type: text/plain; name=qnx.txt
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename=qnx.txt
Shouts
Zen-parse, lockdown, sloth, ^ChAoS, elfan,
Albert E., S. Hawking, Ali G, Jenna Jameson
flur, FreeBSD Security Officers, the guy that
used to clean our desks every morning and
still cleans jaguars desk., QNX developers,
Jon Lasser (col/67), merlions girlfriend,
ourselves and Jenna again.
Issue 0x0 Kernel
QNX Allows local users to attach to any process. Not being familiar with the
QNX API and terminology, I can only describe it as if you could attach to ANY
process with ptrace() regardless of your uid/euid. An example to clear things
up :)
$ cat tmp.c
main ()
{
printf("euid=%i\n",geteuid());
}
$ ls -l tmp
-rwsr-xr-x 1 root 100 4021 May 20 13:31 tmp
$ ./tmp
euid=0
So far everything is normal.
$ gdb tmp
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "--host=x86-pc-nto-qnx --target=ntox86"...
(no debugging symbols found)...
(gdb) r
Starting program: /tmp/tmp
(gdb) c
Continuing.
euid=0
Program exited normally.
(gdb)
Uh oh.. not quite the result you would expect..
Exploit: http://www.badc0ded.com/downloads/qnx-gdb-root.sh
Issue 0x1 /bin/su
/bin/su accepts SIGSEGV and dumps world readable core.
Exploit: http://www.badc0ded.com/downloads/su-dump-pw.sh
Issue 0x2 phgrafx
phgrafx executes crttrap with system() without first dropping its euid.
Exploit: http://www.badc0ded.com/downloads/phgrafx.sh
Issue 0x3 phgrafx-startup
Same problem as phgrafx
Exploit: http://www.badc0ded.com/downloads/phgrafx-startup.sh
Issue 0x4 phlocale
$ABLANG Buffer overflows and other goodies..
Exploit: http://www.badc0ded.com/downloads/phlocale.c
Issue 0x5 pkg-installer.c
Simple cmdline buffer overflow in -u argument
Exploit: http://www.badc0ded.com/downloads/pkg-installer.c
Misc..
Many many more problems that I have not developed exploits for.
--2078917053-1022047211=:651299--
