search menu icon-carat-right cmu-wordmark

CERT Coordination Center

QNX PPPoEd daemon vulnerable to command spoofing

Vulnerability Note VU#577566

Original Release Date: 2005-02-01 | Last Revised: 2005-02-03

Overview

The QNX PPPoEd daemon is vulnerable to command spoofing that may lead to arbitrary code execution.

Description

QNX is an RTOS (Realtime Operating System). QNX is used in many different devices and industries, including, but not limited to

    • routers
    • manufacturing and processing
    • medical equipment
    • automotive and transportation
    • military and aerospace
    • consumer electronics
    • industry automation and control

The PPPoEd service is used to create Point-to-Point Protocol over Ethernet (PPPoE) connections on QNX systems. The PPPoEd daemon uses the mount system command to load and start a networking device during PPPoE connection negotiation. However, PPPoEd relies on the PATHenvironmentvariabletolocatetheexecutablefileforthemountcommand.Amalicioususermaybeabletocreateanarbitraryprogramlabeledmount,placeitinaarbitrarydirectory,andthenmodifythePATH variable to refer to the new mount executable. When PPPoEd checks the PATHvariabletolocatetheexecutableforthemountcommand,itfollowsthePATH entry entered by the attacker and executes the new version of mount.

This issue has been confirmed in QNX OS versions:
    • 6.1.0, 6.1.0A
    • 6.2.0, 6.2., 6.2.1A, 6.2.1B
    • 6.3.0

Impact

The PPPoEd process is executed with root privileges by default. As a result, an attacker may be able to execute arbitrary code with root privileges.

Solution

Limit Access to PPPoEd
Deny untrusted users the privileges needed to access the PPPoEd service.

Remove PPPoEd

If the PPPoE protocol is not needed, the PPPoEd binary can be removed to correct this issue.

Vendor Information

577566
 

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was publicly reported by Julio Cesar Fort.

This document was written by Jeff Gennari.

Other Information

CVE IDs: None
Severity Metric: 13.17
Date Public: 2004-09-05
Date First Published: 2005-02-01
Date Last Updated: 2005-02-03 16:56 UTC
Document Revision: 180

Sponsored by CISA.