[ SOURCE: http://www.secureroot.com/security/advisories/9684941464.html ] Tested Versions: QNX Voyager 2.01B Tested Distributions: QNX Demo Disk (Modem v405) QNX Demo Disk (Network v405) Distributor: QNX Software Systems Limited (http://www.qnx.com) Distributor Status: No response after 3 weeks Intro: QNX is a whole operating system aimed at the embedded computing market. They currently have on release two demo disks (One for network access, one for modem access), which boast an integrated web server and web browser (Voyager). Issues: The main problem stems from the ability to navigate the whole file system by using the age old ".." paths. From the web server root /../../ will take you to the file system root where there are a number of interesting files which can be viewed... /etc/passwd will not store any useful information (On the demo disks versions anyhow), as the demo disks come with null passwords and no log on screen. However, /etc/ppp/chap-secrets and /etc/ppp/pap-secrets on the modem build will reveal the recent connection password. By accessing /dev/dns the attacker will allow one more legitimate page request to be served before the web server hangs. Due to the integration of the web server and web client any visitor to the web server's site can view error messages produced by the web browser. For example, the attacker could request http://target/dns_error.html and be presented with the last DNS lookup failure the target received. Other revealing URLS include... http://target/.photon/voyager/config.full The web client's settings file http://target/.photon/voyager/history.html Recently visited sites http://target/.photon/voyager/hotlist The list of book-marked sites http://target/.photon/pwm/pwm.menu The Photon Window Manager menu listing (Equivalent to MS Windows' 'start menu') http://target/.photon/phdial/connection [Modem build only] Modem set-up information. http://target/crt.html Available screen settings http://target/../../etc/config/trap/crt.cur.1 Current screen setting There is also a small privacy issue thanks to the 'QNX Embedded Resource Manager', which dynamically produces real time system statistics. Anyone requesting http://target/embedded.html will be presented with computer spec, internet stats and a process list. Exploits: While these holes don't lend themselves to exploits in the traditional sense, it may be worth updating your CGI scanners with the previously mentioned URLs. -- NeonBunny Web: http://bunnybox.jml.net PGP: http://bunnybox.jml.net/neonbunny.asc