Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (Other)  >   QNX Vendors:   QNX Software Systems Ltd.
QNX crttrap Race Condition May Let Local Users Grab Root Privileges
SecurityTracker Alert ID:  1011242
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Dec 29 2004
Original Entry Date:  Sep 14 2004
Impact:   Execution of arbitrary code via local system, Root access via local system

Version(s): QNX RTP 6.1
Description:   A vulnerability was reported in QNX in the crttrap application. A local user may be able to obtain root privileges.

Julio Cesar Fort from rfdslabs reported that a local user may be able to modify the $PATH environment variable to cause crttrap to execute an alternate version of 'io-graphics' with root privileges. The report indicates that this is a theorical possiblility but was not confirmed.

The vendor was notified on September 8, 2004, without response.

Impact:   A local user may be able to execute arbitrary code with root privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error, State error

Message History:   None.

 Source Message Contents

Subject:  [RLSA_04-2004] QNX crrtrap possible race condition vulnerability

               *** rfdslabs security advisory ***

Title: QNX crrtrap possible race condition vulnerability [RLSA_04-2004]
Versions: QNX RTP 6.1 (possibly others)
Date: Sep 13 2004

Author: Julio Cesar Fort <julio at rfdslabs com br>

1. Introduction

  crrtrap is a tool to detect video hardware and starts the correct driver for

2. Details

crttrap does a sequence of commands before calls 'io-graphics', an external
program part of Photon. Because of this, there is a theorical race condition

(1) /bin/cd /usr/photon/bin
(2) io-graphics [arguments]

This spot (*) is where the race condition lies. If we are able to modify $PATH
in the exact moment before crrtrap calls step 2, we could obtain local root
priviledges because it will execute 'io-graphics' (our code) looking for it in
/tmp directory.
If an attacker writes a code to neverend loop changing everytime $PATH and runs
it into background, there is a theorical possiblility to modify environment and
trick crttrap.

3. Solution

   QNX Software Systems was contacted in september 8th but vendor didn't reply.
It seems they don't care much about security (they don't even have a security
staff e-mail, but SALES e-mail adddress is everywhere at!).

4. Timeline

26 Aug 2004: Vulnerability detected;
08 Sep 2004: rfdslabs contacts QNX: no success;

Thanks to DataStorm Technologies and some stranger in who was
intersted in - computers, sex, humand mind, music and more
Recife, PE, Brazil


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC