Confirmed on an AudioRequest Pro music server running QNX 4.25. A non-privileged user can run dhcp.client and change the IP address to DHCP. A non-privileged user cannot change the IP address to a static using ifconfig:
While telneted to the server as a non-privileged user... [EMAIL PROTECTED] en1 10.0.1.1 netmask 255.255.255.0 broadcast 10.0.1.255 ifconfig: ioctl (SIOCDIFADDR): permission denied [EMAIL PROTECTED]/dhcp.client -i en1 [EMAIL PROTECTED] Then I lost my connection (obviously!) I only have one server running QNX, it would be interesting to see if a non-privileged user could run dhcp.client and configure another QNX node like this: [EMAIL PROTECTED]/dhcp.client -i //20/en1 (configure the server on node 20) QNX 4.25 is an old version, but it is still used on a lot of appliance-type systems. As far as the AudioRequest goes, it is a closed system that does not allow remote terminal sessions unless you can hack into it and change things. Request dropped QNX for Linux with the latest software releases. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, December 03, 2005 12:34 PM To: [email protected]; [EMAIL PROTECTED]; [email protected] Subject: QNX 4.25 suided dhcp.client binary Hello all, I recently got a QNX 4.25 vmware image and i found that the dhcp.client shipped with it is suided. This obviously enables a normal user to control the NIC's configuration and produce some other attacks (eg: if the system has some services which depend on 'host/ip based' authentication [NFS,NIS,rlogin, etc]). Some vmware screenshots are available at: http://lms.ispgaya.pt/goodies/qnx/ I havent got access to other QNX installations so, allthough the person who gave me the image said the binary wasnt changed, can anybody else confirm this? Best regards, +--------------------------------- | Luís Miguel Ferreira da Silva | Unidade de Qualidade e Segurança | Centro de Informática | Professor Correia Araújo | Faculdade de Engenharia da | Universidade do Porto _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
