[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] RE: QNX 4.25 suided dhcp.client binary

To: <lms@xxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <Vuln@xxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] RE: QNX 4.25 suided dhcp.client binary
From: "Dan Drinnon" <ddrinnon@xxxxxxxx>
Date: Sat, 3 Dec 2005 16:23:00 -0500

Confirmed on an AudioRequest Pro music server running QNX 4.25.  A
non-privileged user can run dhcp.client and change the IP address to DHCP.
A non-privileged user cannot change the IP address to a static using
ifconfig:

While telneted to the server as a non-privileged user...
[mp3@arq]$ifconfig en1 10.0.1.1 netmask 255.255.255.0 broadcast 10.0.1.255
ifconfig: ioctl (SIOCDIFADDR): permission denied
[mp3@arq]$./dhcp.client -i en1
[mp3@arq]$
Then I lost my connection (obviously!)

I only have one server running QNX, it would be interesting to see if a
non-privileged user could run dhcp.client and configure another QNX node
like this:
[mp3@arq]$./dhcp.client -i //20/en1   (configure the server on node 20)

QNX 4.25 is an old version, but it is still used on a lot of appliance-type
systems.

As far as the AudioRequest goes, it is a closed system that does not allow
remote terminal sessions unless you can hack into it and change things.
Request dropped QNX for Linux with the latest software releases.

-----Original Message-----
From: lms@xxxxxxxx [mailto:lms@xxxxxxxx]
Sent: Saturday, December 03, 2005 12:34 PM
To: bugtraq@xxxxxxxxxxxxxxxxx; Vuln@xxxxxxxxxx;
full-disclosure@xxxxxxxxxxxxxxxxx
Subject: QNX 4.25 suided dhcp.client binary


Hello all,

I recently got a QNX 4.25 vmware image and i found that the dhcp.client
shipped
with it is suided.

This obviously enables a normal user to control the NIC's configuration and
produce some other attacks (eg: if the system has some services which depend
on
'host/ip based' authentication [NFS,NIS,rlogin, etc]).

Some vmware screenshots are available at:
http://lms.ispgaya.pt/goodies/qnx/

I havent got access to other QNX installations so, allthough the person who
gave
me the image said the binary wasnt changed, can anybody else confirm this?

Best regards,
+---------------------------------
| Luís Miguel Ferreira da Silva
| Unidade de Qualidade e Segurança
| Centro de Informática
| Professor Correia Araújo
| Faculdade de Engenharia da
| Universidade do Porto

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] QNX 4.25 suided dhcp.client binary
  - From: lms

Prev by Date: Re: [Full-disclosure] Google is vulnerable from XSS attack
Next by Date: Re: [Full-disclosure] Google is vulnerable from XSS attack
Previous by thread: [Full-disclosure] QNX 4.25 suided dhcp.client binary
Next by thread: [Full-disclosure] Re: List of security incidents
Index(es):
- Date
- Thread