Multiple incorrect permissions in QNX.

From: One Semicolon (sat_private)
Date: Mon Nov 18 2002 - 19:47:26 PST

Next message: Paul Szabo: "[Full-Disclosure] MS02-065 vulnerability"

Previous message: David Endler: "Update: iDEFENSE Security Advisory 11.19.02b: Eudora Script Execution Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TOPIC: Multiple incorrect permissions in QNX.
ADVISORY NR: 200202
DATE: Nov 13 2002
VULNERABILITY FOUND BY: 1; (One Semicolon)


CONTACT INFORMATION:
http://www.4os.org
sat_private


STATUS: QNX Software Systems Ltd was contacted on November 11, 2002.
I received prompt replies and was assured that this was being sent through
the proper channels to have this resolved. I was unable to receive a
preliminary patch or a estimate as to how long this process would take.


DESCRIPTION
Installing the OS Update for 6.2.0 (Patch A) will affect the permissions of
io-audio.

QNX also released two experimental patches to resolve rather big issues. 
They
however set incorrect permissions. These two patches are:
 - PhShutdown security patch
 - Package file system patch

cpim (Chinese Method Input) and vpim (Japanese Method Input) version 2.0.3,
but most likely also earlier editions, set incorrect permissions.

phrelaycfg, new since QNX 6.1.0, also has incorrect permissions.

As part of the games pack, version 2.0.3 in this case, the following games
are installed with improper permissions:
 - Columns
 - Othello
 - Peg
 - Solitaire
 - Vpoker

ISSUE
All aforementioned programs have permissions of rwxrwxrwx. This means that
any user can read or write to the binaries allowing anyone to replace them.

The following files are affected:
OS Update Patch A:
 - /sbin/io-audio

QNX experimental patches:
 - /bin/shutdown
 - /sbin/fs-pkg
 - /usr/photon/bin/phshutdown

CPIM/VPIM
 - /usr/photon/bin/cpim
 - /usr/photon/bin/vpim

Phrelaycfg
 - /usr/photon/bin/phrelaycfg

Games
 - /usr/photon/bin/columns
 - /usr/photon/bin/othello
 - /usr/photon/bin/peg
 - /usr/photon/bin/solitaire
 - /usr/photon/bin/vpoker


SYSTEM INFORMATION:
QNX 6.2.0 Non-commercial edition on an x86 architecture was used. All 
patches
and updates were applied at the time of writing.


FIX
Adjust the permissions of these particular binaries. Then proceed
to search the complete file system for any other files that may not have
proper permissions.

Contact QNX to find out what appropriate actions to take to prevent this in
the future.


FINAL NOTES
Some systems have been found that have different permissions for different
files.

Before letting anyone access a QNX system, it is always a good idea to
execute "find / -perm -2 ! -type l -ls >> result.txt". Besides the programs
mentioned today, several other programs may or may not have set proper
permissions depending on the amount of packages you installed.

Next message: Paul Szabo: "[Full-Disclosure] MS02-065 vulnerability"
Previous message: David Endler: "Update: iDEFENSE Security Advisory 11.19.02b: Eudora Script Execution Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 22 2002 - 00:34:52 PST