[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : QNX demo disks vulnerable

Title: QNX demo disks vulnerable
Released by:
Date: 2nd September 2000
Printable version: Click here 
Tested Versions: QNX Voyager 2.01B

Tested Distributions:

 QNX Demo Disk (Modem v405)

 QNX Demo Disk (Network v405)

Distributor: QNX Software Systems Limited (http://www.qnx.com)

Distributor Status: No response after 3 weeks



Intro:



QNX is a whole operating system aimed at the embedded computing market. They

currently have on release two demo disks (One for network access, one for

modem access), which boast an integrated web server and web browser

(Voyager).



Issues:



The main problem stems from the ability to navigate the whole file system by

using the age old ".." paths. From the web server root /../../ will take you

to the file system root where there are a number of interesting files which

can be viewed...



/etc/passwd will not store any useful information (On the demo disks

versions anyhow), as the demo disks come with null passwords and no log on

screen. However, /etc/ppp/chap-secrets and /etc/ppp/pap-secrets on the modem

build will reveal the recent connection password.



By accessing /dev/dns the attacker will allow one more legitimate page

request to be served before the web server hangs.



Due to the integration of the web server and web client any visitor to the

web server's site can view error messages produced by the web browser. For

example, the attacker could request http://target/dns_error.html and be

presented with the last DNS lookup failure the target received.



Other revealing URLS include...

http://target/.photon/voyager/config.full

 The web client's settings file

http://target/.photon/voyager/history.html

 Recently visited sites

http://target/.photon/voyager/hotlist

 The list of book-marked sites

http://target/.photon/pwm/pwm.menu

 The Photon Window Manager menu listing (Equivalent to MS Windows' 'start

menu')

http://target/.photon/phdial/connection [Modem build only]

 Modem set-up information.

http://target/crt.html

 Available screen settings

http://target/../../etc/config/trap/crt.cur.1

 Current screen setting



There is also a small privacy issue thanks to the 'QNX Embedded Resource

Manager', which dynamically produces real time system statistics. Anyone

requesting http://target/embedded.html will be presented with computer spec,

internet stats and a process list.



Exploits:



While these holes don't lend themselves to exploits in the traditional

sense, it may be worth updating your CGI scanners with the previously

mentioned URLs.



--

NeonBunny



Web: http://bunnybox.jml.net      PGP: http://bunnybox.jml.net/neonbunny.asc






(C) 1999-2000 All rights reserved.