QNX PPPoEd daemon vulnerable to command spoofing

ID VU:577566
Type cert
Reporter CERT
Modified 2005-02-03T00:00:00



The QNX PPPoEd daemon is vulnerable to command spoofing that may lead to arbitrary code execution.


QNX is an RTOS (Realtime Operating System). QNX is used in many different devices and industries, including, but not limited to

* routers 
* manufacturing and processing 
* medical equipment 
* automotive and transportation 
* military and aerospace 
* consumer electronics 
* industry automation and control

The PPPoEd service is used to create Point-to-Point Protocol over Ethernet (PPPoE) connections on QNX systems. The PPPoEd daemon uses the mount system command to load and start a networking device during PPPoE connection negotiation. However, PPPoEd relies on the $PATH environment variable to locate the executable file for the mount command. A malicious user may be able to create an arbitrary program labeled mount, place it in a arbitrary directory, and then modify the $PATH variable to refer to the new mount executable. When PPPoEd checks the $PATH variable to locate the executable for the mount command, it follows the $PATH entry entered by the attacker and executes the new version of mount.

This issue has been confirmed in QNX OS versions:

* 6.1.0, 6.1.0A 
* 6.2.0, 6.2., 6.2.1A, 6.2.1B 
* 6.3.0


The PPPoEd process is executed with root privileges by default. As a result, an attacker may be able to execute arbitrary code with root privileges.


Limit Access to PPPoEd