| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <JHECKNKKCJJJLOCFKMGCIEELCLAA.ddrinnon@cdor.net> Date: Sat, 3 Dec 2005 16:23:00 -0500 From: "Dan Drinnon" <ddrinnon@...r.net> To: <lms@...up.pt>, <bugtraq@...urityfocus.com>, <Vuln@...irt.com>, <full-disclosure@...ts.grok.org.uk> Subject: RE: QNX 4.25 suided dhcp.client binary Confirmed on an AudioRequest Pro music server running QNX 4.25. A non-privileged user can run dhcp.client and change the IP address to DHCP. A non-privileged user cannot change the IP address to a static using ifconfig: While telneted to the server as a non-privileged user... [mp3@arq]$ifconfig en1 10.0.1.1 netmask 255.255.255.0 broadcast 10.0.1.255 ifconfig: ioctl (SIOCDIFADDR): permission denied [mp3@arq]$./dhcp.client -i en1 [mp3@arq]$ Then I lost my connection (obviously!) I only have one server running QNX, it would be interesting to see if a non-privileged user could run dhcp.client and configure another QNX node like this: [mp3@arq]$./dhcp.client -i //20/en1 (configure the server on node 20) QNX 4.25 is an old version, but it is still used on a lot of appliance-type systems. As far as the AudioRequest goes, it is a closed system that does not allow remote terminal sessions unless you can hack into it and change things. Request dropped QNX for Linux with the latest software releases. -----Original Message----- From: lms@...up.pt [mailto:lms@...up.pt] Sent: Saturday, December 03, 2005 12:34 PM To: bugtraq@...urityfocus.com; Vuln@...irt.com; full-disclosure@...ts.grok.org.uk Subject: QNX 4.25 suided dhcp.client binary Hello all, I recently got a QNX 4.25 vmware image and i found that the dhcp.client shipped with it is suided. This obviously enables a normal user to control the NIC's configuration and produce some other attacks (eg: if the system has some services which depend on 'host/ip based' authentication [NFS,NIS,rlogin, etc]). Some vmware screenshots are available at: http://lms.ispgaya.pt/goodies/qnx/ I havent got access to other QNX installations so, allthough the person who gave me the image said the binary wasnt changed, can anybody else confirm this? Best regards, +--------------------------------- | Luís Miguel Ferreira da Silva | Unidade de Qualidade e Segurança | Centro de Informática | Professor Correia Araújo | Faculdade de Engenharia da | Universidade do Porto _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists