COMMAND

    kernel

SYSTEMS AFFECTED

    QNX 2.4

PROBLEM

    'teknophreak' found following.   QNX 2.4 is  a micro-kernel  based
    Operating System which can be downloaded for free at  www.qnx.com.
    Qnx  is  posix  compliant  distributed  architecture with neutrino
    microkernel at its RTOS core, not linux.  Although cross  platform
    development from windows  or linux is  possible since it  is POSIX
    1003.1.   Its security  efforts are  rather minimal.   Its primary
    focus  is  unprecedented  scalability  over  beowulf type parallel
    clusters or  smp boards  and fully  transparent networking  system
    (Qnet).   There  is  significant  amount  of other security issues
    associated with this platform.

    QNX 2.4 is  made to install  on a FAT  partition.  A  vulnerabilty
    exist which allows you to read any file on the system.

    Example:

        $ more /etc/shadow
        Permission Denied

    If you try  to view a  file which you  don't have read  access to,
    DUH!  you wont be  able to read it.   Well, If you find out  where
    the FAT  filesystem is  mounted usually  /fs-dos then  you can  do
    this.

        $ more /fs-dos/linux/etc/shadow

    then.... booyah!  You  can read a file  you won't be able  to read
    under normal circumstances.

SOLUTION

    Nothing yet.