[UNIX] Multiple Incorrect Permissions in QNX

From: support@securiteam.com
Date: 11/24/02

  • Next message: support@securiteam.com: "[NEWS] Clipboard in QNX Photon" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 24 Nov 2002 17:12:35 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Multiple Incorrect Permissions in QNX
    ------------------------------------------------------------------------

    SUMMARY

    A security vulnerability in the QNX allows local attacker to replace parts
    of the file provided in the OS. This would allow them to install Trojans
    into the OS.

    DETAILS

    Vulnerable systems:
     * QNX 6.2.0 Non-commercial (x86)

    Installing the OS Update for 6.2.0 (Patch A) will affect the permissions
    of io-audio.

    QNX also released two experimental patches to resolve rather big issues.
    They however set incorrect permissions. These two patches are:
     - PhShutdown security patch
     - Package file system patch

    cpim (Chinese Method Input) and vpim (Japanese Method Input) version
    2.0.3, but most likely also earlier editions, set incorrect permissions.

    phrelaycfg, new since QNX 6.1.0, also has incorrect permissions.

    As part of the games pack, version 2.0.3 in this case, the following games
    are installed with improper permissions:
     - Columns
     - Othello
     - Peg
     - Solitaire
     - Vpoker

    Issue:
    All aforementioned programs have permissions of rwxrwxrwx. This means that
    any user can read or write to the binaries allowing anyone to replace
    them.

    The following files are affected:
    OS Update Patch A:
     - /sbin/io-audio

    QNX experimental patches:
     - /bin/shutdown
     - /sbin/fs-pkg
     - /usr/photon/bin/phshutdown

    CPIM/VPIM
     - /usr/photon/bin/cpim
     - /usr/photon/bin/vpim

    Phrelaycfg
     - /usr/photon/bin/phrelaycfg

    Games
     - /usr/photon/bin/columns
     - /usr/photon/bin/othello
     - /usr/photon/bin/peg
     - /usr/photon/bin/solitaire
     - /usr/photon/bin/vpoker

    Vendor status:
    QNX Software Systems Ltd was contacted on November 11, 2002. One Semicolon
    received prompt replies and was assured that this was being sent through
    the proper channels to have this resolved. One Semicolon was unable to
    receive a preliminary patch or a estimate as to how long this process
    would take.

    Fix:
    Adjust the permissions of these particular binaries. Then proceed to
    search the complete file system for any other files that may not have
    proper permissions.

    Contact QNX to find out what appropriate actions to take to prevent this
    in the future.

    Final notes:
    Some systems have been found that have different permissions for different
    files.

    Before letting anyone access a QNX system, it is always a good idea to
    execute "find / -perm -2 ! -type l -ls >> result.txt". Besides the
    programs mentioned today, several other programs may or may not have set
    proper permissions depending on the amount of packages you installed.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:s@4os.org> One Semicolon.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages

    • Multiple incorrect permissions in QNX.
      ... Multiple incorrect permissions in QNX. ... QNX Software Systems Ltd was contacted on November 11, ... preliminary patch or a estimate as to how long this process would take. ...
      (Bugtraq)
    • Re: KB921596 do not install...
      ... adapted the "security permissions" in/onto that Office module... ... After completing this repair I retryed to install the update... ... IF the issue were Permissions in the registry than the error message ... When you find which one it is check to see if the patch is 'needed'. ...
      (microsoft.public.windowsupdate)
    • RE: What server hardening are you doing these days?
      ... permissions on their data, and Microsoft encourages ISVs to minimize ... I've been able to discuss ACLs and other security issues in Windows with ... Control or DAC (which is what you're referring to by the "stupid ...
      (Focus-Microsoft)
    • [NEWS] Non-Explicit Path Vulnerability in QNX Neutrino RTOS
      ... Beyond Security would like to welcome Tiscali World Online ... QNX Software Systems Ltd.'s ... attackers can potentially obtain root privilege. ... The packager will at one point call the copy binary. ...
      (Securiteam)
    • Re: get rid of security center?
      ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ... settings from being changed again. ... the firewall alert settings in Security Center get ...
      (microsoft.public.windowsxp.help_and_support)