lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040913192251.3510.qmail@www.securityfocus.com>
Date: 13 Sep 2004 19:22:51 -0000
From: Julio Cesar Fort <julio@...slabs.com.br>
To: bugtraq@...urityfocus.com
Subject: [RLSA_04-2004] QNX crrtrap possible race condition vulnerability




               *** rfdslabs security advisory ***

Title: QNX crrtrap possible race condition vulnerability [RLSA_04-2004]
Versions: QNX RTP 6.1 (possibly others)
Vendor: http://www.qnx.com
Date: Sep 13 2004

Author: Julio Cesar Fort <julio at rfdslabs com br>


1. Introduction

  crrtrap is a tool to detect video hardware and starts the correct driver for
QNX.


2. Details

crttrap does a sequence of commands before calls 'io-graphics', an external
program part of Photon. Because of this, there is a theorical race condition
vulnerability.

--
(1) /bin/cd /usr/photon/bin
(*)
(2) io-graphics [arguments]
--

This spot (*) is where the race condition lies. If we are able to modify $PATH
in the exact moment before crrtrap calls step 2, we could obtain local root
priviledges because it will execute 'io-graphics' (our code) looking for it in
/tmp directory.
If an attacker writes a code to neverend loop changing everytime $PATH and runs
it into background, there is a theorical possiblility to modify environment and
trick crttrap.


3. Solution

   QNX Software Systems was contacted in september 8th but vendor didn't reply.
It seems they don't care much about security (they don't even have a security
staff e-mail, but SALES e-mail adddress is everywhere at qnx.com!).

4. Timeline

26 Aug 2004: Vulnerability detected;
08 Sep 2004: rfdslabs contacts QNX: no success;

Thanks to DataStorm Technologies and some stranger in mobius.qnx.com who was
intersted in rfdslabs.com.br.

www.rfdslabs.com.br - computers, sex, humand mind, music and more
Recife, PE, Brazil


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ