search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

QNX PPPoEd daemon vulnerable to command spoofing

Vulnerability Note VU#577566

Original Release Date: 2005-02-01 | Last Revised: 2005-02-03

Overview

The QNX PPPoEd daemon is vulnerable to command spoofing that may lead to arbitrary code execution.

Description

QNX is an RTOS (Realtime Operating System). QNX is used in many different devices and industries, including, but not limited to

    • routers
    • manufacturing and processing
    • medical equipment
    • automotive and transportation
    • military and aerospace
    • consumer electronics
    • industry automation and control

The PPPoEd service is used to create Point-to-Point Protocol over Ethernet (PPPoE) connections on QNX systems. The PPPoEd daemon uses the mount system command to load and start a networking device during PPPoE connection negotiation. However, PPPoEd relies on the $PATH environment variable to locate the executable file for the mount command. A malicious user may be able to create an arbitrary program labeled mount, place it in a arbitrary directory, and then modify the $PATH variable to refer to the new mount executable. When PPPoEd checks the $PATH variable to locate the executable for the mount command, it follows the $PATH entry entered by the attacker and executes the new version of mount.

This issue has been confirmed in QNX OS versions:
    • 6.1.0, 6.1.0A
    • 6.2.0, 6.2., 6.2.1A, 6.2.1B
    • 6.3.0

Impact

The PPPoEd process is executed with root privileges by default. As a result, an attacker may be able to execute arbitrary code with root privileges.

Solution

Limit Access to PPPoEd
Deny untrusted users the privileges needed to access the PPPoEd service.

Remove PPPoEd

If the PPPoE protocol is not needed, the PPPoEd binary can be removed to correct this issue.

Vendor Information

577566
 
Expand all

QNX Affected

Notified:  September 13, 2004 Updated: October 05, 2004

Status

Affected

Vendor Statement

A verified statement from the vendor is not available at this time.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has received the following unconfirmed message from the vendor about this vulnerability:

Date Received: 10/04/2004 12:12:00 PM

This issue has been confirmed and does exist in QNX OS versions:

6.1.0 6.1.0A
6.2.0 6.2.1 6.2.1A 6.2.1B
6.3.0

pppoed is shipped by default setuid to root, so a local non-root user could gain root access by substituting a 'mount' command in their PATH which would be executed as root.  

Workaround:

Change pppoed permissions so that it is not setuid or don't allow unprivileged users access to the pppoed binary. The pppoed binary could also be removed if PPPoE services are not required on the system.

Patches:

This issue has been fixed and the fix will be available with an upcoming QNX 6.3.0 patch release (Please refer to the release notes).
 
Please contact your QNX representative regarding the availability of patches for earlier QNX releases.

Patches or updates for QNX products can be obtained through QNX "myqnx" customer accounts. http://www.qnx.com/account/login.html

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was publicly reported by Julio Cesar Fort.

This document was written by Jeff Gennari.

Other Information

CVE IDs: None
Severity Metric: 13.17
Date Public: 2004-09-05
Date First Published: 2005-02-01
Date Last Updated: 2005-02-03 16:56 UTC
Document Revision: 180

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis