CVE-2002-0793
published 2002-08-12CVE-2002-0793: Hard link and possibly symbolic link following vulnerabilities in QNX RTOS 4.25 (aka QNX4) allow local users to overwrite arbitrary files via (1) the -f…
PriorityP417medium5.5CVSS 3.1
AVLACLPRLUINSUCNIHAN
EXPLOIT
EPSS
1.34%
67.8th percentile
Hard link and possibly symbolic link following vulnerabilities in QNX RTOS 4.25 (aka QNX4) allow local users to overwrite arbitrary files via (1) the -f argument to the monitor utility, (2) the -d argument to dumper, (3) the -c argument to crttrap, or (4) using the Watcom sample utility.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| blackberry | qnx_neutrino_real-time_operating_system | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
QNX RTOS 4.25 - 'CRTTrap' File Disclosure
exploitdb·2002-05-31
CVE-2002-0793 QNX RTOS 4.25 - 'CRTTrap' File Disclosure
QNX RTOS 4.25 - 'CRTTrap' File Disclosure
---
source: https://www.securityfocus.com/bid/4901/info
The QNX RTOS crttrap binary includes a command-line option for specifying a configuration file. crttrap is installed setuid by default. crttrap Local attackers may specify an arbitrary system file in place of the configuration file and crttrap will disclose the contents of the arbitrary file.
crttrap -c /etc/shadow
Exploit-DB
QNX RTOS 4.25 - monitor Arbitrary File Modification
exploitdb·2002-05-31
CVE-2002-0793 QNX RTOS 4.25 - monitor Arbitrary File Modification
QNX RTOS 4.25 - monitor Arbitrary File Modification
---
source: https://www.securityfocus.com/bid/4902/info
The QNX RTOS monitor utility is prone to an issue which may allow local attackers to modify arbitrary system files (such as /etc/passwd). monitor is installed setuid root by default.
The monitor -f command line option may be used by a local attacker to cause an arbitrary system file to be overwritten. Once overwritten, the attacker will gain ownership of the file.
monitor -f /etc/passwd
Exploit-DB
QNX RTOS 4.25 - dumper Arbitrary File Modification
exploitdb·2002-05-31
CVE-2002-0793 QNX RTOS 4.25 - dumper Arbitrary File Modification
QNX RTOS 4.25 - dumper Arbitrary File Modification
---
source: https://www.securityfocus.com/bid/4904/info
When creating memory dump files, the QNX RTOS debugging utility 'dumper' follows symbolic links. It also sets ownership of the file to the userid of the terminated process. It is possible for malicious local attackers to exploit this vulnerability to overwrite and gain ownership of arbitrary files. Consequently, attackers may elevate to root privileges by modifying files such as '/etc/passwd'.
Example exploit, with /bin/dumper:
Let EVIL be the unprivileged user who wants to gain root access.
#link to the passwd file: dumper dumps to [process name].dmp
$ ln /etc/passwd /home/EVIL/ksh.dmp
#call the program that will attempt to write to the hard link
$ dumper -d /home/EVIL -p [PID
No writeups or analysis indexed.
CWE
Improper Link Resolution Before File Access ('Link Following')
mitre_cwe
CWE-59 Improper Link Resolution Before File Access ('Link Following')
CWE-59: Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Background: Soft links are a UNIX term that is synonymous with simple shortcuts on Windows-based platforms.
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope: Confidentiality, Integrity, Access Control. Impact: Read Files or Directories, Modify Files or Directories, Bypass Protection Mechanism. An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpe
CWE
UNIX Hard Link
mitre_cwe·CVSS 5.5
[MEDIUM] CWE-62 UNIX Hard Link
CWE-62: UNIX Hard Link
The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Failure for a system to check for hard links can result in vulnerability to different types of attacks. For example, an attacker can escalate their privileges if a file used by a privileged program is replaced with a hard link to a sensitive file (e.g. /etc/passwd). When the process opens the file, the attacker can assume the privileges of that process.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Confidentiality, Integrity. Impact: Read Files or Directories, Modify File
http://archives.neohapsis.com/archives/bugtraq/2002-05/0292.htmlhttp://www.iss.net/security_center/static/9231.phphttp://www.securityfocus.com/bid/4901http://www.securityfocus.com/bid/4902http://www.securityfocus.com/bid/4903http://www.securityfocus.com/bid/4904https://exchange.xforce.ibmcloud.com/vulnerabilities/9232https://exchange.xforce.ibmcloud.com/vulnerabilities/9233https://exchange.xforce.ibmcloud.com/vulnerabilities/9234http://archives.neohapsis.com/archives/bugtraq/2002-05/0292.htmlhttp://www.iss.net/security_center/static/9231.phphttp://www.securityfocus.com/bid/4901http://www.securityfocus.com/bid/4902http://www.securityfocus.com/bid/4903http://www.securityfocus.com/bid/4904https://exchange.xforce.ibmcloud.com/vulnerabilities/9232https://exchange.xforce.ibmcloud.com/vulnerabilities/9233https://exchange.xforce.ibmcloud.com/vulnerabilities/9234
2002-08-12
Published