SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Other)  >   QNX Vendors:   QNX Software Systems Ltd.
QNX Neutrino RTOS Multiple Bugs Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1015599
SecurityTracker URL:  http://securitytracker.com/id/1015599
CVE Reference:   CVE-2005-1528   (Links to External Site)
Date:  Feb 8 2006
Impact:   Execution of arbitrary code via local system, Root access via local system

Version(s): 6.2.1, 6.3.0
Description:   iDEFENSE reported multiple vulnerabilities in QNX Neutrino RTOS. A local user can gain root privileges.

The crttrap application does not properly validate the user-supplied LD_LIBRARY_PATH value [CVE-2005-1528]. A local user can supply an alternate path to cause crttrap to load and execute arbitrary code with root privileges instead of the intended libraries. The vendor was notified on May 12, 2005, without response.

The fontsleuth command contains a format string vulnerability. A local user can provide a specially crafted argument containing format string specifiers to execute arbitrary code on the target system with root privileges. The vendor was notified on December 23, 2004, without response. iDefense Labs discovered this vulnerability.

The libAP system library does not properly validate user-supplied input in the ABLPATH environment variable. A local user can exploit various applications that use this library. Arbitrary code can be executed, potentially with root level privileges. The ABLANG environment variable is also affected.

The libph system library contains a stack overflow in the processing of user-supplied data in the PHOTON_PATH environment variable.

The vendor was notified on December 15, 2005, without response. Filipe Balestra discovered these library vulnerabilities.

A local user can exploit a race condition in the phfont to gain root privileges. The command executes the 'phfontphf' command. A local user can specify an alternate location for this command via the PHFONT and PHOTON2_PATH environment variables. Then, when phfont is executed, the 'phfontphf' file in the alternate location will be executed with root privileges. The vendor was notified on September 9, 2004, without response.

The 'phgrafx' command contains a buffer overflow. A local user can supply a specially crafted argument value to execute arbitrary code with root privileges. The vendor was notified on August 8, 2004, without response.

Knud Hojgaard discovered these phfontphf and phgrafx vulnerabilities.

The 'su' command contains a buffer overflow. A local user can supply a specially crafted argument value to execute arbitrary code with root privileges.

The 'passwd' command contains a buffer overflow. A local user can supply a specially crafted argument value to execute arbitrary code with root privileges.

The vendor was notified on June 4, 2004, without response. Texonet discovered these su and passwd vulnerabilities.

The original advisories are available at:

http://www.idefense.com/intelligence/vulnerabilities/display.php?id=379
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=380
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=381
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=382
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=383
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=384
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=385
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=388

Impact:   A local user can execute arbitrary code with root privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.qnx.com/ (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error, State error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC