[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : QNX demo disks vulnerable

Title: QNX demo disks vulnerable
Released by:
Date: 2nd September 2000
Printable version: Click here
Tested Versions: QNX Voyager 2.01B

Tested Distributions:

 QNX Demo Disk (Modem v405)

 QNX Demo Disk (Network v405)

Distributor: QNX Software Systems Limited (http://www.qnx.com)

Distributor Status: No response after 3 weeks


QNX is a whole operating system aimed at the embedded computing market. They

currently have on release two demo disks (One for network access, one for

modem access), which boast an integrated web server and web browser



The main problem stems from the ability to navigate the whole file system by

using the age old ".." paths. From the web server root /../../ will take you

to the file system root where there are a number of interesting files which

can be viewed...

/etc/passwd will not store any useful information (On the demo disks

versions anyhow), as the demo disks come with null passwords and no log on

screen. However, /etc/ppp/chap-secrets and /etc/ppp/pap-secrets on the modem

build will reveal the recent connection password.

By accessing /dev/dns the attacker will allow one more legitimate page

request to be served before the web server hangs.

Due to the integration of the web server and web client any visitor to the

web server's site can view error messages produced by the web browser. For

example, the attacker could request http://target/dns_error.html and be

presented with the last DNS lookup failure the target received.

Other revealing URLS include...


 The web client's settings file


 Recently visited sites


 The list of book-marked sites


 The Photon Window Manager menu listing (Equivalent to MS Windows' 'start


http://target/.photon/phdial/connection [Modem build only]

 Modem set-up information.


 Available screen settings


 Current screen setting

There is also a small privacy issue thanks to the 'QNX Embedded Resource

Manager', which dynamically produces real time system statistics. Anyone

requesting http://target/embedded.html will be presented with computer spec,

internet stats and a process list.


While these holes don't lend themselves to exploits in the traditional

sense, it may be worth updating your CGI scanners with the previously

mentioned URLs.



Web: http://bunnybox.jml.net      PGP: http://bunnybox.jml.net/neonbunny.asc

(C) 1999-2000 All rights reserved.