Dmitry Alexeyev (a.k.a dmi) recently disclosed two new security bugs in QNX 6.2 (latest public QNX release). dmi is the admin of the Russian QNX Portal and QNXClub forums. He has made great contributions to the QNX community.
dmi has found and reported several QNX security bugs in the past. The latest two he reported are:
- phshutdown. It writes default shutdown type to $HOME/.ph/phshutdown.cfg, but doesn't check it's permissions (phshutdown is setuid root). If phshutdown.cfg is a symbolic link to any file on system, this file will be overwritten. If it doesn't exist, it will be created (with write access to user).
- packager. Using this (setuid root too) utility, any user could read protected files (like /etc/shadow). Try to create a qpr from /etc directory and you will get package with all _protected_ configuration files.