A security vulnerability in the QNX allows local attacker to replace parts of the file provided in the OS. This would allow them to install Trojans into the OS.
Credit:
The information has been provided by One Semicolon.
Installing the OS Update for 6.2.0 (Patch A) will affect the permissions of io-audio.
QNX also released two experimental patches to resolve rather big issues. They however set incorrect permissions. These two patches are:
- PhShutdown security patch
- Package file system patch
cpim (Chinese Method Input) and vpim (Japanese Method Input) version 2.0.3, but most likely also earlier editions, set incorrect permissions.
phrelaycfg, new since QNX 6.1.0, also has incorrect permissions.
As part of the games pack, version 2.0.3 in this case, the following games are installed with improper permissions:
- Columns
- Othello
- Peg
- Solitaire
- Vpoker
Issue:
All aforementioned programs have permissions of rwxrwxrwx. This means that any user can read or write to the binaries allowing anyone to replace them.
The following files are affected:
OS Update Patch A:
- /sbin/io-audio
Vendor status:
QNX Software Systems Ltd was contacted on November 11, 2002. One Semicolon received prompt replies and was assured that this was being sent through the proper channels to have this resolved. One Semicolon was unable to receive a preliminary patch or a estimate as to how long this process would take.
Fix:
Adjust the permissions of these particular binaries. Then proceed to search the complete file system for any other files that may not have proper permissions.
Contact QNX to find out what appropriate actions to take to prevent this in the future.
Final notes:
Some systems have been found that have different permissions for different files.
Before letting anyone access a QNX system, it is always a good idea to execute "find / -perm -2 ! -type l -ls >> result.txt". Besides the programs mentioned today, several other programs may or may not have set proper permissions depending on the amount of packages you installed.
