SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  OS (Other)  >  QNX Vendors:  QNX Software Systems Ltd.
QNX Neutrino RTOS Multiple Bugs Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1015599
SecurityTracker URL:  http://securitytracker.com/id?1015599
CVE Reference:  CVE-2005-1528   (Links to External Site)
Date:  Feb 8 2006
Impact:  Execution of arbitrary code via local system, Root access via local system
Advisory:  iDEFENSE
Version(s): 6.2.1, 6.3.0
Description:  iDEFENSE reported multiple vulnerabilities in QNX Neutrino RTOS. A local user can gain root privileges.

The crttrap application does not properly validate the user-supplied LD_LIBRARY_PATH value [CAN-2005-1528]. A local user can supply an alternate path to cause crttrap to load and execute arbitrary code with root privileges instead of the intended libraries. The vendor was notified on May 12, 2005, without response.

The fontsleuth command contains a format string vulnerability. A local user can provide a specially crafted argument containing format string specifiers to execute arbitrary code on the target system with root privileges. The vendor was notified on December 23, 2004, without response. iDefense Labs discovered this vulnerability.

The libAP system library does not properly validate user-supplied input in the ABLPATH environment variable. A local user can exploit various applications that use this library. Arbitrary code can be executed, potentially with root level privileges. The ABLANG environment variable is also affected.

The libph system library contains a stack overflow in the processing of user-supplied data in the PHOTON_PATH environment variable.

The vendor was notified on December 15, 2005, without response. Filipe Balestra discovered these library vulnerabilities.

A local user can exploit a race condition in the phfont to gain root privileges. The command executes the 'phfontphf' command. A local user can specify an alternate location for this command via the PHFONT and PHOTON2_PATH environment variables. Then, when phfont is executed, the 'phfontphf' file in the alternate location will be executed with root privileges. The vendor was notified on September 9, 2004, without response.

The 'phgrafx' command contains a buffer overflow. A local user can supply a specially crafted argument value to execute arbitrary code with root privileges. The vendor was notified on August 8, 2004, without response.

Knud Hojgaard discovered these phfontphf and phgrafx vulnerabilities.

The 'su' command contains a buffer overflow. A local user can supply a specially crafted argument value to execute arbitrary code with root privileges.

The 'passwd' command contains a buffer overflow. A local user can supply a specially crafted argument value to execute arbitrary code with root privileges.

The vendor was notified on June 4, 2004, without response. Texonet discovered these su and passwd vulnerabilities.

The original advisories are available at:

http://www.idefense.com/intelligence/vulnerabilities/display.php?id=379
http://www.idefense.com/intelligence/vulnerabilities/dis play.php?id=380
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=381
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=382
http:// www.idefense.com/intelligence/vulnerabilities/display.php?id=383
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=384
http://www.idefense.com/intelli gence/vulnerabilities/display.php?id=385
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=388
Impact:  A local user can execute arbitrary code with root privileges.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.qnx.com/ (Links to External Site)
Cause:  Access control error, Boundary error, Input validation error, State error
Underlying OS:  QNX

Message History:   None.

 Source Message Contents
Date:  Wed, 8 Feb 2006 01:04:31 -0500
Subject:  QNX Neutrino RTOS vulnerabilities

 
 
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=379
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=380
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=381
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=382
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=383
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=384
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=385
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=388
 
CVE-2005-1528


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2006, SecurityGlobal.net LLC