BugTraq
Medium severity flaw in BlackBerry QNX Neutrino RTOS Mar 11 2014 08:34PM
Tim Brown (timb nth-dimension org uk) (1 replies)
Re: Medium severity flaw in BlackBerry QNX Neutrino RTOS Mar 13 2014 11:02AM
Tim Brown (timb nth-dimension org uk)
Might have been helpful to attach the advisory.

Tim
--
Tim Brown
<mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
<http://www.nth-dimension.org.uk/>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Nth Dimension Security Advisory (NDSA20140311)
Date: 11th March 2014
Author: Tim Brown <mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: QNX Neutrino RTOS 6.5.0
<http://www.qnx.com/products/neutrino-rtos/index.html>
Vendor: BlackBerry <http://www.blackberry.com/>
Risk: Medium

Summary

This advisory concerns the forced disclosure of 2 vulnerabilities that were
previously disclosed to BlackBerry. Disclosure has been forced since these
vulnerabilities have been publicly disclosed (with PoC) on the exploit-db
web site.

Two local privilege escalation vulnerabilities have been identified that would
ultimately result in malicious code being executed in a trusted context. The
first allows direct code execution (http://www.exploit-db.com/exploits/32153/)
whilst the second allows for the root password to be disclosed
(http://www.exploit-db.com/exploits/32156/).

It should be noted that Nth Dimension do not believe that the bug collision
are due to a leak within BlackBerry but rather that these are the simply
instances of multiple researchers identifying the same vulnerable code paths.

Solutions

Nth Dimension are not aware of vendor supplied patches at this moment in
time.

Technical Details

1) The following PoC command causes id to be executed with euid 0:

$ /sbin/ifwatchd -v -u id en0

2) The following PoC command causes the first line of /etc/shadow (including the
root user's password hash to be displayed:

$ /sbin/ppoectl -f /etc/shadow

History

On 22th November 2012, Nth Dimension supplied a PoC exploits for each of the
vulnerabilities outlined above. BlackBerry responded to confirm that they had
received the report and were investigating.

On the 17th June 2013, Nth Dimension chased BlackBerry for an update and were
notified that BIRT2013-00001 had been assigned to to the privilege escalation
issues.

No further contact was received from BlackBerry after the 26th Julu 2013.

Current

As of the 11th March 2014, both the privilege escalation attacks have been
disclosed by a 3rd party. In light of this and in the absence of any timely
response from BlackBerry, Nth Dimension have opted to make full details public.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJTH2qKAAoJEPJhpTVyySo7fFoP/2sWlwr2zhuVZEUYKkuuMLHK
u3lP8lX55Fc/6T94D8HAhoaizoACEjZECmunwjUnaLZEP9IO5ksqJxadIrIDvGnx
DgTTxDBqjUu8IZMsyS3hbMCfttKUeurBWk4zaQKTfzktTGwcx0hP1YjDnV2dlfxq
rmqTcumzO0G3GRzOGMf0iYNd9NwuGTm6G89c90KkSaXuKBWMlifcBet5+xlqiIep
ElUsM7G8EgHGHbglwoJEQNyQxn706ubjn+QYUEe34Ki7saZoYdZTcU/tid/q1thK
qaajCooZkFePPfPfDIQnhGoMKPtMKIlyIBb+XbURKJMslpIwjIxG8oDND+Dr2Lpi
gyS72w/H3X8cbUIFHL9w9tBYhgA7ygSCp2JEFB05iDFb2KJ++L1/VUW9Zd6aZOiS
ffifs3QByToWJv2QGOBEoe5N7HcRYldBVBkeSDCJPFvxF30OpfirWwl5MtM1muBn
9ddryvEALg4SeeSEcJp88KcWKgtEvqHEMsMru0tmqC4Yud4rs2Frz2g54sVOtamY
vyFNX5DbvzFUqnJMKr6b1b6OTKdr6d94E4SaxIHGd9q9zcOOrMMGqidnmZffB3tf
PwTNTc01KSDdJS4wMjNKuu7gPzazXJiIrajn6ogkHeN8+8IlAy9YVc2I95g20lr2
ihPeOQ8Mx47ddyAqluNb
=ObS5
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAABCAAGBQJTIZA/AAoJEPJhpTVyySo7v0oP/2YvL3B8nm1U3/bqYv59VHZZ
XPIwlkpsRR98G/PxNzAhyswf9QznBg7k4lOlZ6RaG8jINFTeoiFTuhUJJ/ixpX12
akwc7eF1l7jtMRtIE/JOcYEuT/DgwO4IW10okxRj0yh7xz9p4Kz+ps8QxVEhlrjl
850EhuKf+13DRkzgEXBI5+Ku58rsPet8ADslKgiTz+EiWdfKIqmpoMgnAbKDFP75
NKEg8IvnCnWEw3qepyStHA7DslsDlU2iZoKi5YJ/HPtXSZu0YpzzT7CdsSM9id6w
gIFJ/SRNrO1U91pMYgkDPMHl4NFPqXxUMkimqyZd30fkcqU6kYElpa9iXXsYsXWm
ssvVS2pyGollXuW2B3q5evB1Nh7TQGB2bD/780YeXrQZAI+SIa2InickmrsymfQO
N445QFjCzL8Af/VyNh+L6/6WZ0IDxvsLfHMaLC76nU5n+a7djDCc0gIkxFB3BZIp
0fTJMXIcaImG9ZOAOrn0ZaRQNvAUcThFRG2gDK3ObYRaQPCppzJANndfQ4L3TxYL
m75TGDSS4haP8uiWm8KG2NdqX2NZkoO2C2NDpjRBz1JxeFWNGYJAr2KpIuLe6bfy
HGCeRgd3Z7mk/ZadSWt1KYT+oTvqHCMFl7j79aR1eMQwWPNRTmcNmKCLGyJ11RhA
0H1zNxYM3NQx8rxDnNXz
=phMe
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus