exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

qnx-crttrap-race-condition.txt

qnx-crttrap-race-condition.txt
Posted Sep 13, 2004
Authored by Julio Cesar Fort | Site rfdslabs.com.br

A possible race condition exists in QNX RTP 6.1 due to a program being called without a complete path.

tags | advisory
SHA-256 | a9f8a0e80084bb3cbcd294a6a08d9050b2f8a488b2ad2599b22b26500637b8c8

qnx-crttrap-race-condition.txt

Change Mirror Download
                *** rfdslabs security advisory ***

Title: QNX crrtrap possible race condition vulnerability [RLSA_04-2004]
Versions: QNX RTP 6.1 (possibly others)
Vendor: https://www.qnx.com
Date: Sep 13 2004

Author: Julio Cesar Fort <julio at rfdslabs com br>


1. Introduction

crrtrap is a tool to detect video hardware and starts the correct driver for
QNX.


2. Details

crttrap does a sequence of commands before calls 'io-graphics', an external
program part of Photon. Because of this, there is a theorical race condition
vulnerability.

--
(1) /bin/cd /usr/photon/bin
(*)
(2) io-graphics [arguments]
--

This spot (*) is where the race condition lies. If we are able to modify $PATH
in the exact moment before crrtrap calls step 2, we could obtain local root
priviledges because it will execute 'io-graphics' (our code) looking for it in
/tmp directory.
If an attacker writes a code to neverend loop changing everytime $PATH and runs
it into background, there is a theorical possiblility to modify environment and
trick crttrap.


3. Solution

QNX Software Systems was contacted in september 8th but vendor didn't reply.
It seems they don't care much about security (they don't even have a security
staff e-mail, but SALES e-mail adddress is everywhere at qnx.com!).

4. Timeline

26 Aug 2004: Vulnerability detected;
08 Sep 2004: rfdslabs contacts QNX: no success;

Thanks to DataStorm Technologies and some stranger in mobius.qnx.com who was
intersted in rfdslabs.com.br.

www.rfdslabs.com.br - computers, sex, humand mind, music and more
Recife, PE, Brazil
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close