Full Disclosure mailing list archives
QNX BUG FESTIVAL -- [RLSA_04-2004] QNX crrtrap possible race condition
From: "Julio Cesar Fort" <julio () rfdslabs com br>
Date: Mon, 13 Sep 2004 16:17:32 -0000
*** rfdslabs security advisory *** Title: QNX crrtrap possible race condition vulnerability [RLSA_04-2004] Versions: QNX RTP 6.1 (possibly others) Vendor: http://www.qnx.com Date: Sep 13 2004 Author: Julio Cesar Fort <julio at rfdslabs com br> 1. Introduction crrtrap is a tool to detect video hardware and starts the correct driver for QNX. 2. Details crttrap does a sequence of commands before calls 'io-graphics', an external program part of Photon. Because of this, there is a theorical race condition vulnerability. -- (1) /bin/cd /usr/photon/bin (*) (2) io-graphics [arguments] -- This spot (*) is where the race condition lies. If we are able to modify $PATH in the exact moment before crrtrap calls step 2, we could obtain local root priviledges because it will execute 'io-graphics' (our code) looking for it in /tmp directory. If an attacker writes a code to neverend loop changing everytime $PATH and runs it into background, there is a theorical possiblility to modify environment and trick crttrap. 3. Solution QNX Software Systems was contacted in september 8th but vendor didn't reply. It seems they don't care much about security (they don't even have a security staff e-mail, but SALES e-mail adddress is everywhere at qnx.com!). 4. Timeline 26 Aug 2004: Vulnerability detected; 08 Sep 2004: rfdslabs contacts QNX: no success; Thanks to DataStorm Technologies and some stranger in mobius.qnx.com who was intersted in rfdslabs.com.br. www.rfdslabs.com.br - computers, sex, humand mind, music and more Recife, PE, Brazil ________________________________________________ Message sent using UebiMiau 2.7.2 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- QNX BUG FESTIVAL -- [RLSA_04-2004] QNX crrtrap possible race condition Julio Cesar Fort (Sep 13)