Full Disclosure mailing list archives

RE: QNX 4.25 suided dhcp.client binary

From: "Dan Drinnon" <ddrinnon () cdor net>
Date: Sat, 3 Dec 2005 16:23:00 -0500

Confirmed on an AudioRequest Pro music server running QNX 4.25.  A
non-privileged user can run dhcp.client and change the IP address to DHCP.
A non-privileged user cannot change the IP address to a static using
ifconfig:

While telneted to the server as a non-privileged user...
[mp3@arq]$ifconfig en1 10.0.1.1 netmask 255.255.255.0 broadcast 10.0.1.255
ifconfig: ioctl (SIOCDIFADDR): permission denied
[mp3@arq]$./dhcp.client -i en1
[mp3@arq]$
Then I lost my connection (obviously!)

I only have one server running QNX, it would be interesting to see if a
non-privileged user could run dhcp.client and configure another QNX node
like this:
[mp3@arq]$./dhcp.client -i //20/en1   (configure the server on node 20)

QNX 4.25 is an old version, but it is still used on a lot of appliance-type
systems.

As far as the AudioRequest goes, it is a closed system that does not allow
remote terminal sessions unless you can hack into it and change things.
Request dropped QNX for Linux with the latest software releases.

-----Original Message-----
From: lms () fe up pt [mailto:lms () fe up pt]
Sent: Saturday, December 03, 2005 12:34 PM
To: bugtraq () securityfocus com; Vuln () frsirt com;
full-disclosure () lists grok org uk
Subject: QNX 4.25 suided dhcp.client binary


Hello all,

I recently got a QNX 4.25 vmware image and i found that the dhcp.client
shipped
with it is suided.

This obviously enables a normal user to control the NIC's configuration and
produce some other attacks (eg: if the system has some services which depend
on
'host/ip based' authentication [NFS,NIS,rlogin, etc]).

Some vmware screenshots are available at:
http://lms.ispgaya.pt/goodies/qnx/

I havent got access to other QNX installations so, allthough the person who
gave
me the image said the binary wasnt changed, can anybody else confirm this?

Best regards,
+---------------------------------
| Luís Miguel Ferreira da Silva
| Unidade de Qualidade e Segurança
| Centro de Informática
| Professor Correia Araújo
| Faculdade de Engenharia da
| Universidade do Porto

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

QNX 4.25 suided dhcp.client binary lms (Dec 03)
- RE: QNX 4.25 suided dhcp.client binary Dan Drinnon (Dec 03)