SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Other)  >   QNX Vendors:   QNX Software Systems Ltd.
QNX Binaries Have Buffer Overflows in '-s' Switch That May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1011241
SecurityTracker URL:  http://securitytracker.com/id/1011241
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 14 2004
Impact:   Execution of arbitrary code via local system, Root access via local system, User access via local system

Version(s): QNX RTP 6.1
Description:   Several buffer overflow vulnerabilities were reported in QNX Photon. A local user may be able to obtain elevated privileges.

Julio Cesar Fort from rfdslabs reported that a local user can supply a specially crafted '-s' flag value to the the following applications to trigger a buffer overflow:

/usr/photon/bin/phrelay-cfg
/usr/photon/bin/phlocale
/usr/photon/bin/pkg-installer
/usr/photon/bin/input-cfg

If the files are configured with set user id (suid) privileges, the local user may be able to gain elevated privileges.

The vendor was notified on September 8, 2004, without response.

Impact:   A local user may be able to gain elevated privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.qnx.com/ (Links to External Site)
Cause:   Boundary error

Message History:   None.


 Source Message Contents

Subject:  [RLSA_02-2004] QNX Photon multiple buffer overflows




	*** rfdslabs security advisory ***

Title: QNX Photon multiple buffer overflows [RLSA_02-2004]
Versions: QNX RTP 6.1 (possibly others)
Vendor: QNX Software Systems <http://www.qnx.com>
Date: 13 Sep 2004

Author: Julio Cesar Fort <julio at rfdslabs com br>


1. Introduction

    QNX Photon microGUI is the windowing system of QNX RTOS. Above are few
words about Photon by qnx.com.

    "Unlike the limited graphics libraries offered by other realtime OSs, the
QNX Photon microGUI windowing system provides a full-featured customizable
foundation for creating human machine interfaces for small embedded systems.
It features a rich set of reusable widgets and components, a variety of fonts,
integrated support for multi-headed displays, and comprehensive multi-language
support to adapt products to different geographies."
                      (from http://www.qnx.com/products/multimedia_gui/gui.html)

2. Details

   Buffer overflows condictions occours in four binaries of Photon. The result
of a well-succeeded exploitation is memory corruption - in other words, a high
risk for local security. Once these binaries are suid and owned by root, then
malicious users can obtain unauthorized root priviledges.
All problems lies in '-s' (server) flag, which allows an user to chose the name
of the Photon server. The vulnerable binary tries to open /dev/AAAAA... (around
94 A's are necessary to cause overflow) then it crashes.

=> Config for phrelay (remote connector with phindows and phditto clients)
$ /usr/photon/bin/phrelay-cfg -s AAAAA[...]
Memory fault (core dumped)

=> Localization utility, timezone, language and keyboard configurator
$ /usr/photon/bin/phlocale -s AAAAA[...]
Memory fault (core dumped)

=> QNX Package Installer 
$ /usr/photon/bin/pkg-installer -s AAAAA[...]
Memory fault (core dumped)

PS: 'pkg-installer' was replaced by 'qnxinstall' in QNX Momentics 6.2.1.

=> Mouse configurator and stuff
$ /usr/photon/bin/input-cfg -s AAAAA[...]
Memory fault (core dumped)

Core files are generated in /var/dumps.


3. Solution

   QNX Software Systems was contacted in september 8th but vendor didn't reply.
It seems they don't care much about security (they don't even have a security
staff e-mail, but SALES e-mail adddress is everywhere at qnx.com!).


4. Timeline

26 Aug 2004: Vulnerabilities detected;
08 Sep 2004: rfdslabs contacts QNX: no success;

Thanks to DataStorm Technologies and some stranger in mobius.qnx.com who was
intersted in rfdslabs.com.br.

www.rfdslabs.com.br - computers, sex, humand mind, music and more
Recife, PE, Brazil

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC