Multiple incorrect permissions in QNX.

From: One Semicolon (s@4os.org)
Date: 11/19/02

  • Next message: NetBSD Security Officer: "NetBSD Security Advisory 2002-027: ftpd STAT output non-conformance can deceive firewall devices" 
    Date: Mon, 18 Nov 2002 21:47:26 -0600
From: One Semicolon <s@4os.org>
To: bugtraq@securityfocus.com

    TOPIC: Multiple incorrect permissions in QNX.
    ADVISORY NR: 200202
    DATE: Nov 13 2002
    VULNERABILITY FOUND BY: 1; (One Semicolon)

    CONTACT INFORMATION:
    http://www.4os.org
    s@4os.org

    STATUS: QNX Software Systems Ltd was contacted on November 11, 2002.
    I received prompt replies and was assured that this was being sent through
    the proper channels to have this resolved. I was unable to receive a
    preliminary patch or a estimate as to how long this process would take.

    DESCRIPTION
    Installing the OS Update for 6.2.0 (Patch A) will affect the permissions of
    io-audio.

    QNX also released two experimental patches to resolve rather big issues.
    They
    however set incorrect permissions. These two patches are:
     - PhShutdown security patch
     - Package file system patch

    cpim (Chinese Method Input) and vpim (Japanese Method Input) version 2.0.3,
    but most likely also earlier editions, set incorrect permissions.

    phrelaycfg, new since QNX 6.1.0, also has incorrect permissions.

    As part of the games pack, version 2.0.3 in this case, the following games
    are installed with improper permissions:
     - Columns
     - Othello
     - Peg
     - Solitaire
     - Vpoker

    ISSUE
    All aforementioned programs have permissions of rwxrwxrwx. This means that
    any user can read or write to the binaries allowing anyone to replace them.

    The following files are affected:
    OS Update Patch A:
     - /sbin/io-audio

    QNX experimental patches:
     - /bin/shutdown
     - /sbin/fs-pkg
     - /usr/photon/bin/phshutdown

    CPIM/VPIM
     - /usr/photon/bin/cpim
     - /usr/photon/bin/vpim

    Phrelaycfg
     - /usr/photon/bin/phrelaycfg

    Games
     - /usr/photon/bin/columns
     - /usr/photon/bin/othello
     - /usr/photon/bin/peg
     - /usr/photon/bin/solitaire
     - /usr/photon/bin/vpoker

    SYSTEM INFORMATION:
    QNX 6.2.0 Non-commercial edition on an x86 architecture was used. All
    patches
    and updates were applied at the time of writing.

    FIX
    Adjust the permissions of these particular binaries. Then proceed
    to search the complete file system for any other files that may not have
    proper permissions.

    Contact QNX to find out what appropriate actions to take to prevent this in
    the future.

    FINAL NOTES
    Some systems have been found that have different permissions for different
    files.

    Before letting anyone access a QNX system, it is always a good idea to
    execute "find / -perm -2 ! -type l -ls >> result.txt". Besides the programs
    mentioned today, several other programs may or may not have set proper
    permissions depending on the amount of packages you installed.

    Relevant Pages

    • [UNIX] Multiple Incorrect Permissions in QNX
      ... Beyond Security would like to welcome Tiscali World Online ... A security vulnerability in the QNX allows local attacker to replace parts ... Installing the OS Update for 6.2.0 (Patch A) will affect the permissions ... They however set incorrect permissions. ...
      (Securiteam)
    • Re: BES Server Account Permissions Still exist
      ... BES adn Exchange servers for better or worse are married and in most ... After applying the patch I had to back it out as the mail was getting ... Effectivel the permissions change did not work. ...
      (microsoft.public.exchange.admin)
    • [RFC][PATCH] Simple privacy enhancement for /proc/<pid>
      ... sorry it took me so long before offering another patch for restricting ... see different permissions for certain files in there. ... This patch introduces two kernel parameters: ...
      (Linux-Kernel)
    • KB835732 Errors and Fixes
      ... On our network we recently pushed this patch, ... administrator rights, the problems with Outlook, IE, etc ... The fix involves resetting the permissions under the WINNT ...
      (microsoft.public.win2000.windows_update)
    • Re: modify workgroup not available
      ... I'm not aware of this as an issue (and no patch). ... Perhaps it is a permissions issue on the folder where the mdw is (I doubt it ... >> aren't logging in as a member of the Admins group (and it shouldn't ... >> Microsoft Access MVP ...
      (microsoft.public.access.security)