TOPIC: Multiple incorrect permissions in QNX. ADVISORY NR: 200202 DATE: Nov 13 2002 VULNERABILITY FOUND BY: 1; (One Semicolon) CONTACT INFORMATION: http://www.4os.org sat_private STATUS: QNX Software Systems Ltd was contacted on November 11, 2002. I received prompt replies and was assured that this was being sent through the proper channels to have this resolved. I was unable to receive a preliminary patch or a estimate as to how long this process would take. DESCRIPTION Installing the OS Update for 6.2.0 (Patch A) will affect the permissions of io-audio. QNX also released two experimental patches to resolve rather big issues. They however set incorrect permissions. These two patches are: - PhShutdown security patch - Package file system patch cpim (Chinese Method Input) and vpim (Japanese Method Input) version 2.0.3, but most likely also earlier editions, set incorrect permissions. phrelaycfg, new since QNX 6.1.0, also has incorrect permissions. As part of the games pack, version 2.0.3 in this case, the following games are installed with improper permissions: - Columns - Othello - Peg - Solitaire - Vpoker ISSUE All aforementioned programs have permissions of rwxrwxrwx. This means that any user can read or write to the binaries allowing anyone to replace them. The following files are affected: OS Update Patch A: - /sbin/io-audio QNX experimental patches: - /bin/shutdown - /sbin/fs-pkg - /usr/photon/bin/phshutdown CPIM/VPIM - /usr/photon/bin/cpim - /usr/photon/bin/vpim Phrelaycfg - /usr/photon/bin/phrelaycfg Games - /usr/photon/bin/columns - /usr/photon/bin/othello - /usr/photon/bin/peg - /usr/photon/bin/solitaire - /usr/photon/bin/vpoker SYSTEM INFORMATION: QNX 6.2.0 Non-commercial edition on an x86 architecture was used. All patches and updates were applied at the time of writing. FIX Adjust the permissions of these particular binaries. Then proceed to search the complete file system for any other files that may not have proper permissions. Contact QNX to find out what appropriate actions to take to prevent this in the future. FINAL NOTES Some systems have been found that have different permissions for different files. Before letting anyone access a QNX system, it is always a good idea to execute "find / -perm -2 ! -type l -ls >> result.txt". Besides the programs mentioned today, several other programs may or may not have set proper permissions depending on the amount of packages you installed.
This archive was generated by hypermail 2b30 : Fri Nov 22 2002 - 00:34:52 PST