{"vuid":"VU#577566","idnumber":"577566","name":"QNX PPPoEd daemon vulnerable to command spoofing","keywords":["QNX PPPoEd","$PATH","arbitrary code execution","mount"],"overview":"The QNX PPPoEd daemon is vulnerable to command spoofing that may lead to arbitrary code execution.","clean_desc":"QNX is an RTOS (Realtime Operating System). QNX is used in many different devices and industries, including, but not limited to routers\nmanufacturing and processing \nmedical equipment\nautomotive and transportation\nmilitary and aerospace\nconsumer electronics\nindustry automation and control The PPPoEd service is used to create Point-to-Point Protocol over Ethernet (PPPoE) connections on QNX systems. The PPPoEd daemon uses the mount system command to load and start a networking device during PPPoE connection negotiation. However, PPPoEd relies on the $PATH environment variable to locate the executable file for the mount command. A malicious user may be able to create an arbitrary program labeled mount, place it in a arbitrary directory, and then modify the $PATH variable to refer to the new mount executable. When PPPoEd checks the $PATH variable to locate the executable for the mount command, it follows the $PATH entry entered by the attacker and executes the new version of mount. This issue has been confirmed in QNX OS versions: 6.1.0, 6.1.0A \n6.2.0, 6.2., 6.2.1A, 6.2.1B \n6.3.0","impact":"The PPPoEd process is executed with root privileges by default. As a result, an attacker may be able to execute arbitrary code with root privileges.","resolution":"","workarounds":"Limit Access to PPPoEd Deny untrusted users the privileges needed to access the PPPoEd service. Remove PPPoEd If the PPPoE protocol is not needed, the PPPoEd binary can be removed to correct this issue.","sysaffected":"","thanks":"This vulnerability was publicly reported by Julio Cesar Fort.","author":"This document was written by Jeff Gennari.","public":["http://www.securitytracker.com/alerts/2004/Sep/1011154.html","http://www.osvdb.org/displayvuln.php?osvdb_id=9661","http://xforce.iss.net/xforce/xfdb/17284"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2004-09-08T16:56:55Z","publicdate":"2004-09-05T00:00:00Z","datefirstpublished":"2005-02-01T16:19:31Z","dateupdated":"2005-02-03T16:56:10Z","revision":180,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"14","cam_exploitation":"0","cam_internetinfrastructure":"8","cam_population":"12","cam_impact":"19","cam_easeofexploitation":"10","cam_attackeraccessrequired":"14","cam_scorecurrent":"13.167","cam_scorecurrentwidelyknown":"16.758","cam_scorecurrentwidelyknownexploited":"28.728","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":13.167,"vulnote":null}