Full Disclosure mailing list archives
RE: QNX 4.25 suided dhcp.client binary
From: "Dan Drinnon" <ddrinnon () cdor net>
Date: Sat, 3 Dec 2005 16:23:00 -0500
Confirmed on an AudioRequest Pro music server running QNX 4.25. A non-privileged user can run dhcp.client and change the IP address to DHCP. A non-privileged user cannot change the IP address to a static using ifconfig: While telneted to the server as a non-privileged user... [mp3@arq]$ifconfig en1 10.0.1.1 netmask 255.255.255.0 broadcast 10.0.1.255 ifconfig: ioctl (SIOCDIFADDR): permission denied [mp3@arq]$./dhcp.client -i en1 [mp3@arq]$ Then I lost my connection (obviously!) I only have one server running QNX, it would be interesting to see if a non-privileged user could run dhcp.client and configure another QNX node like this: [mp3@arq]$./dhcp.client -i //20/en1 (configure the server on node 20) QNX 4.25 is an old version, but it is still used on a lot of appliance-type systems. As far as the AudioRequest goes, it is a closed system that does not allow remote terminal sessions unless you can hack into it and change things. Request dropped QNX for Linux with the latest software releases. -----Original Message----- From: lms () fe up pt [mailto:lms () fe up pt] Sent: Saturday, December 03, 2005 12:34 PM To: bugtraq () securityfocus com; Vuln () frsirt com; full-disclosure () lists grok org uk Subject: QNX 4.25 suided dhcp.client binary Hello all, I recently got a QNX 4.25 vmware image and i found that the dhcp.client shipped with it is suided. This obviously enables a normal user to control the NIC's configuration and produce some other attacks (eg: if the system has some services which depend on 'host/ip based' authentication [NFS,NIS,rlogin, etc]). Some vmware screenshots are available at: http://lms.ispgaya.pt/goodies/qnx/ I havent got access to other QNX installations so, allthough the person who gave me the image said the binary wasnt changed, can anybody else confirm this? Best regards, +--------------------------------- | Luís Miguel Ferreira da Silva | Unidade de Qualidade e Segurança | Centro de Informática | Professor Correia Araújo | Faculdade de Engenharia da | Universidade do Porto _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- QNX 4.25 suided dhcp.client binary lms (Dec 03)
- RE: QNX 4.25 suided dhcp.client binary Dan Drinnon (Dec 03)