QNX RTOS could allow an attacker to gain local root privileges
|qnx-rtos-gain-privileges (10564)||High Risk|
QNX RTOS could allow a local attacker to gain root privileges, caused by a vulnerability in the application packager, which fails to properly validate file paths. By default, the application packager is installed setuid root. A local attacker could create a specially-crafted "cp" command and set the PATH environment variable so that when the application packager executes, the specially-crafted "cp" command would then be executed on a directory created by the attacker. An attacker could use this vulnerability to gain root privileges on the system.
Upgrade to the latest version of QNX RTP (6.2.1 or later), when it becomes available from the QNX Software System Web site. See References.
As a workaround, remove the suid bit from the packager binary: chmod -s 'which packager'
- iDEFENSE Security Advisory 11.08.02b: Non-Explicit Path Vulnerability in QNX Neutrino RTOS.
- QNX Software System Web site: QNX Software Systems.
- BID-6146: QNX RTOS Application Packager Non-Explicit Path Execution Vulnerability
- CVE-2002-1239: QNX Neutrino RTOS 6.2.0 uses the PATH environment variable to find and execute the cp program while operating at raised privileges, which allows local users to gain privileges by modifying the PATH to point to a malicious cp program.
- OSVDB ID: 12214: QNX Neutrino RTOS PATH Environment Variable Subversion Local Privilege Escalation
- QNX QNX Neutrino RTOS 6.2.0
Nov 08, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this