Home page logo
/

bugtraq logo Bugtraq mailing list archives

Multiple QNX Voyager Issues
From: NeonBunny <neonbunny () courgette jml net>
Date: Fri, 1 Sep 2000 19:39:46 +0100

Tested Versions: QNX Voyager 2.01B
Tested Distributions:
 QNX Demo Disk (Modem v405)
 QNX Demo Disk (Network v405)
Distributor: QNX Software Systems Limited (http://www.qnx.com)
Distributor Status: No response after 3 weeks

Intro:

QNX is a whole operating system aimed at the embedded computing market. They
currently have on release two demo disks (One for network access, one for
modem access), which boast an integrated web server and web browser
(Voyager).

Issues:

The main problem stems from the ability to navigate the whole file system by
using the age old ".." paths. From the web server root /../../ will take you
to the file system root where there are a number of interesting files which
can be viewed...

/etc/passwd will not store any useful information (On the demo disks
versions anyhow), as the demo disks come with null passwords and no log on
screen. However, /etc/ppp/chap-secrets and /etc/ppp/pap-secrets on the modem
build will reveal the recent connection password.

By accessing /dev/dns the attacker will allow one more legitimate page
request to be served before the web server hangs.

Due to the integration of the web server and web client any visitor to the
web server's site can view error messages produced by the web browser. For
example, the attacker could request http://target/dns_error.html and be
presented with the last DNS lookup failure the target received.

Other revealing URLS include...
http://target/.photon/voyager/config.full
 The web client's settings file
http://target/.photon/voyager/history.html
 Recently visited sites
http://target/.photon/voyager/hotlist
 The list of book-marked sites
http://target/.photon/pwm/pwm.menu
 The Photon Window Manager menu listing (Equivalent to MS Windows' 'start
menu')
http://target/.photon/phdial/connection [Modem build only]
 Modem set-up information.
http://target/crt.html
 Available screen settings
http://target/../../etc/config/trap/crt.cur.1
 Current screen setting

There is also a small privacy issue thanks to the 'QNX Embedded Resource
Manager', which dynamically produces real time system statistics. Anyone
requesting http://target/embedded.html will be presented with computer spec,
internet stats and a process list.

Exploits:

While these holes don't lend themselves to exploits in the traditional
sense, it may be worth updating your CGI scanners with the previously
mentioned URLs.

--
NeonBunny

Web: http://bunnybox.jml.net      PGP: http://bunnybox.jml.net/neonbunny.asc


  By Date           By Thread  

Current thread:
  • Multiple QNX Voyager Issues NeonBunny (Sep 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault