lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 3 Dec 2005 16:23:00 -0500
From: "Dan Drinnon" <ddrinnon@...r.net>
To: <lms@...up.pt>, <bugtraq@...urityfocus.com>, <Vuln@...irt.com>,
	<full-disclosure@...ts.grok.org.uk>
Subject: RE: QNX 4.25 suided dhcp.client binary


Confirmed on an AudioRequest Pro music server running QNX 4.25.  A
non-privileged user can run dhcp.client and change the IP address to DHCP.
A non-privileged user cannot change the IP address to a static using
ifconfig:

While telneted to the server as a non-privileged user...
[mp3@arq]$ifconfig en1 10.0.1.1 netmask 255.255.255.0 broadcast 10.0.1.255
ifconfig: ioctl (SIOCDIFADDR): permission denied
[mp3@arq]$./dhcp.client -i en1
[mp3@arq]$
Then I lost my connection (obviously!)

I only have one server running QNX, it would be interesting to see if a
non-privileged user could run dhcp.client and configure another QNX node
like this:
[mp3@arq]$./dhcp.client -i //20/en1   (configure the server on node 20)

QNX 4.25 is an old version, but it is still used on a lot of appliance-type
systems.

As far as the AudioRequest goes, it is a closed system that does not allow
remote terminal sessions unless you can hack into it and change things.
Request dropped QNX for Linux with the latest software releases.

-----Original Message-----
From: lms@...up.pt [mailto:lms@...up.pt]
Sent: Saturday, December 03, 2005 12:34 PM
To: bugtraq@...urityfocus.com; Vuln@...irt.com;
full-disclosure@...ts.grok.org.uk
Subject: QNX 4.25 suided dhcp.client binary


Hello all,

I recently got a QNX 4.25 vmware image and i found that the dhcp.client
shipped
with it is suided.

This obviously enables a normal user to control the NIC's configuration and
produce some other attacks (eg: if the system has some services which depend
on
'host/ip based' authentication [NFS,NIS,rlogin, etc]).

Some vmware screenshots are available at:
http://lms.ispgaya.pt/goodies/qnx/

I havent got access to other QNX installations so, allthough the person who
gave
me the image said the binary wasnt changed, can anybody else confirm this?

Best regards,
+---------------------------------
| Luís Miguel Ferreira da Silva
| Unidade de Qualidade e Segurança
| Centro de Informática
| Professor Correia Araújo
| Faculdade de Engenharia da
| Universidade do Porto

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ