QNX PPPoEd PATH Variable Local Privilege Escalation

2004-09-02T16:37:54
ID OSVDB:9661
Type osvdb
Reporter Julio Cesar Fort(julio@rfdslabs.com.br)
Modified 2004-09-02T16:37:54

Description

Vulnerability Description

QNX PPPoEd contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious user modifies the $PATH variable and provides a drop-in replacement for the "mount" command. This flaw may lead to a loss of Integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue. It is possible to restrict untrusted users from executing pppoed.

Short Description

QNX PPPoEd contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious user modifies the $PATH variable and provides a drop-in replacement for the "mount" command. This flaw may lead to a loss of Integrity.

Manual Testing Notes

$ export overflow256='AAAAAAAAAAAAAAA(...)' (around 256 A's) $ /usr/bin/pppoed -F $overflow256

References:

Vendor URL: http://www.qnx.com Vendor URL: http://www.qnx.com/developers/docs/momentics621_docs/neutrino/utilities/p/pppoed.html Security Tracker: 1011154 Related OSVDB ID: 9660 Other Advisory URL: http://www.rfdslabs.com.br/qnx-advs-01-2004.txt Other Advisory URL: http://seclists.org/lists/fulldisclosure/2004/Sep/0176.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0155.html CVE-2004-1391