||Home : Advisories : QNX demo disks vulnerable|
||QNX demo disks vulnerable
||2nd September 2000
Tested Versions: QNX Voyager 2.01B
QNX Demo Disk (Modem v405)
QNX Demo Disk (Network v405)
Distributor: QNX Software Systems Limited (http://www.qnx.com)
Distributor Status: No response after 3 weeks
QNX is a whole operating system aimed at the embedded computing market. They
currently have on release two demo disks (One for network access, one for
modem access), which boast an integrated web server and web browser
The main problem stems from the ability to navigate the whole file system by
using the age old ".." paths. From the web server root /../../ will take you
to the file system root where there are a number of interesting files which
can be viewed...
/etc/passwd will not store any useful information (On the demo disks
versions anyhow), as the demo disks come with null passwords and no log on
screen. However, /etc/ppp/chap-secrets and /etc/ppp/pap-secrets on the modem
build will reveal the recent connection password.
By accessing /dev/dns the attacker will allow one more legitimate page
request to be served before the web server hangs.
Due to the integration of the web server and web client any visitor to the
web server's site can view error messages produced by the web browser. For
example, the attacker could request http://target/dns_error.html and be
presented with the last DNS lookup failure the target received.
Other revealing URLS include...
The web client's settings file
Recently visited sites
The list of book-marked sites
The Photon Window Manager menu listing (Equivalent to MS Windows' 'start
http://target/.photon/phdial/connection [Modem build only]
Modem set-up information.
Available screen settings
Current screen setting
There is also a small privacy issue thanks to the 'QNX Embedded Resource
Manager', which dynamically produces real time system statistics. Anyone
requesting http://target/embedded.html will be presented with computer spec,
internet stats and a process list.
While these holes don't lend themselves to exploits in the traditional
sense, it may be worth updating your CGI scanners with the previously
Web: http://bunnybox.jml.net PGP: http://bunnybox.jml.net/neonbunny.asc