QNX

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Shouts 
  Zen-parse, lockdown, sloth, ^ChAoS, elfan, 
  Albert E., S. Hawking, Ali G, Jenna Jameson
  flur, FreeBSD Security Officers, the guy that 
  used to clean our desks every morning and 
  still cleans jaguars desk., QNX developers,
  Jon Lasser (col/67), merlions girlfriend,
  ourselves and Jenna again.



Issue 0x0 Kernel

QNX Allows local users to attach to any process. Not being familiar with the 
QNX API and terminology, I can only describe it as if you could attach to ANY 
process with ptrace() regardless of your uid/euid.  An example to clear things
up :)

$ cat tmp.c
main ()
{
  printf("euid=%i\n",geteuid());
}
$ ls -l tmp
-rwsr-xr-x  1 root      100            4021 May 20 13:31 tmp
$ ./tmp
euid=0
So far everything is normal.
$ gdb tmp
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "--host=x86-pc-nto-qnx --target=ntox86"...
(no debugging symbols found)...
(gdb) r
Starting program: /tmp/tmp
(gdb) c
Continuing.
euid=0

Program exited normally.
(gdb)

Uh oh.. not quite the result you would expect..

Exploit: http://www.badc0ded.com/downloads/qnx-gdb-root.sh



Issue 0x1 /bin/su

/bin/su accepts SIGSEGV and dumps world readable core.  
Exploit: http://www.badc0ded.com/downloads/su-dump-pw.sh



Issue 0x2 phgrafx

phgrafx executes crttrap with system() without first dropping its euid. 
Exploit: http://www.badc0ded.com/downloads/phgrafx.sh



Issue 0x3 phgrafx-startup

Same problem as phgrafx
Exploit: http://www.badc0ded.com/downloads/phgrafx-startup.sh



Issue 0x4 phlocale

$ABLANG Buffer overflows and other goodies.. 
Exploit: http://www.badc0ded.com/downloads/phlocale.c 



Issue 0x5 pkg-installer.c

Simple cmdline buffer overflow in -u argument
Exploit: http://www.badc0ded.com/downloads/pkg-installer.c



Misc..
Many many more problems that I have not developed exploits for.





















[Index of Archives]
 
 
[Linux Security]
 
 
[Netfilter]
 
 
[PHP]
 
 
[Yosemite News]
 
 
[Linux Kernel]


















 
Powered by Linux