COMMAND

    Voyager

SYSTEMS AFFECTED

    QNX Voyager 2.01B

PROBLEM

    NeonBunny found following.  This was tested on QNX Voyager  2.01B.
    Tested distributions are QNX Demo  Disk (Modem v405) and QNX  Demo
    Disk (Network v405).

    QNX is a  whole operating system  aimed at the  embedded computing
    market.  They currently have  on release  two demo  disks (One for
    network access, one for  modem access), which boast  an integrated
    web server and web browser (Voyager).

    The main problem stems from the ability to navigate the whole file
    system by using the age old ".." paths.  From the web server  root
    /../../ will take you  to the file system  root where there are  a
    number of interesting files which can be viewed...

    /etc/passwd will  not store  any useful  information (On  the demo
    disks versions anyhow), as the demo disks come with null passwords
    and  no  log  on   screen.   However,  /etc/ppp/chap-secrets   and
    /etc/ppp/pap-secrets on  the modem  build will  reveal the  recent
    connection password.

    By accessing /dev/dns the attacker will allow one more  legitimate
    page request to be served before the web server hangs.

    Due  to  the  integration  of  the  web  server and web client any
    visitor to the web server's site can view error messages  produced
    by  the  web  browser.   For  example,  the attacker could request
    http://target/dns_error.html and  be presented  with the  last DNS
    lookup failure the target received.

    The web client's settings file

        http://target/.photon/voyager/config.full

    Recently visited sites

        http://target/.photon/voyager/history.html

    The list of book-marked sites

        http://target/.photon/voyager/hotlist

    The Photon Window Manager menu listing (Equivalent to MS  Windows'
    'start menu')

        http://target/.photon/pwm/pwm.menu

    Modem set-up information.

        http://target/.photon/phdial/connection [Modem build only]

    Available screen settings

        http://target/crt.html

    Current screen setting

        http://target/../../etc/config/trap/crt.cur.1

    There is also  a small privacy  issue thanks to  the 'QNX Embedded
    Resource  Manager',  which  dynamically  produces real time system
    statistics.   Anyone  requesting  http://target/embedded.html will
    be  presented  with  computer  spec,  internet stats and a process
    list.

    While  these  holes  don't  lend  themselves  to  exploits  in the
    traditional  sense,  it  may  be  worth updating your CGI scanners
    with the previously mentioned URLs.

SOLUTION

    Nothing yet.