Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: One Semicolon (s_at_4os.org)
Date: Mon Nov 18 2002 - 21:47:26 CST
TOPIC: Multiple incorrect permissions in QNX.
ADVISORY NR: 200202
DATE: Nov 13 2002
VULNERABILITY FOUND BY: 1; (One Semicolon)
STATUS: QNX Software Systems Ltd was contacted on November 11, 2002.
I received prompt replies and was assured that this was being sent through
the proper channels to have this resolved. I was unable to receive a
preliminary patch or a estimate as to how long this process would take.
Installing the OS Update for 6.2.0 (Patch A) will affect the permissions of
QNX also released two experimental patches to resolve rather big issues.
however set incorrect permissions. These two patches are:
- PhShutdown security patch
- Package file system patch
cpim (Chinese Method Input) and vpim (Japanese Method Input) version 2.0.3,
but most likely also earlier editions, set incorrect permissions.
phrelaycfg, new since QNX 6.1.0, also has incorrect permissions.
As part of the games pack, version 2.0.3 in this case, the following games
are installed with improper permissions:
All aforementioned programs have permissions of rwxrwxrwx. This means that
any user can read or write to the binaries allowing anyone to replace them.
The following files are affected:
OS Update Patch A:
QNX experimental patches:
QNX 6.2.0 Non-commercial edition on an x86 architecture was used. All
and updates were applied at the time of writing.
Adjust the permissions of these particular binaries. Then proceed
to search the complete file system for any other files that may not have
Contact QNX to find out what appropriate actions to take to prevent this in
Some systems have been found that have different permissions for different
Before letting anyone access a QNX system, it is always a good idea to
execute "find / -perm -2 ! -type l -ls >> result.txt". Besides the programs
mentioned today, several other programs may or may not have set proper
permissions depending on the amount of packages you installed.