Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (Other)  >   QNX Vendors:   QNX Software Systems Ltd.
QNX Stack Overflow in phgrafx Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1020411
SecurityTracker URL:
CVE Reference:   CVE-2008-3024   (Links to External Site)
Updated:  Jul 17 2008
Original Entry Date:  Jul 2 2008
Impact:   Execution of arbitrary code via local system, User access via local system
Vendor Confirmed:  Yes  
Version(s): 6.3.2
Description:   A vulnerability was reported in QNX. A local user can obtain elevated privileges on the target system.

A local user can trigger a buffer overflow in '/usr/photon/bin/phgrafx' to execute arbitrary code with root privileges on the target system.

A specially crafted '*.pal' filename in the 'palette' directory can trigger the stack overflow.

The vendor was notified on March 24, 2008.

Filipe Balestra and Rodrigo Rubira Branco of Scanit R&D Labs reported this vulnerability.

Impact:   A local user can obtain root privileges on the target system.
Solution:   No solution was available at the time of this entry.

The vendor indicates that, as a workaround, you can remove the set user id (setuid) bit from the affected binary.

The vendor plans to remove this binary from future versions of the product.

Vendor URL: (Links to External Site)
Cause:   Boundary error

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] [SCANIT-2008-001] QNX phgrafx Privilege

QNX phgrafx Privilege Escalation Vulnerability
Scanit R&D Labs Security Advisory
Jun 30, 2008

Filename:  SCANIT-2008-001.txt
Published: June 30th, 2008

I. Summary

QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time
operating system designed for use in embedded systems. From QNX's
"Companies worldwide like Cisco, Delphi, Siemens, Alcatel and Texaco
depend on
the QNX technology for network routers, medical devices, intelligent
transportation systems, safety and security systems, next-generation
robotics, and other mission-critical applications. In addition, QNX
forms the core for Ford Motor Co.'s Lincoln Aviator IAV, an
engineering concept vehicle. The new system supports the development
of next-generation in-car communications, infotainment, and
telematics applications." More information is available at

Local exploration of a buffer overflow vulnerability inside
/usr/photon/bin/phgrafx included by default in QNX RTOS latest
version (6.3.2) could allow an attacker to gain root privileges.

II. Affected Products

Scanit has confirmed the existence of this vulnerability in QNX RTOS
6.3.2 and
QNX RTOS 6.3.0. Probably previous versions are vulnerable too.

III. Details

The vulnerability itself exists due to improper handling of the
PHOTON_PATH/palette/*.pal file. When a filename greater than
285 characters is created with the extension .pal in the directory
a stack-based overflow occurs, allowing the attacker to control program

# cd /tmp
# mkdir palette
# cd palette
# touch `perl -e 'print "A" x 290 . ".pal"'`
# /usr/photon/bin/phgrafx
Memory fault (core dumped)

IV. Solution

According to the vendor's response:

"QNX Software Systems confirms this vulnerability in Momentics 6.3.2 and
earlier versions. The phgrafx binary is to be deprecated in future
releases. For the time being, it is recommended that the user clear the
set user ID bit from the file permissions. If this is done, only the
root user may change the graphics configuration."

V. Timeline

February 20th, 2008 - Vulnerability discovery
March 24th, 2008 - First contact attempt
March 27th, 2008 - Vendor response
June 30th, 2008 - Advisory release

VI. Credits

This vulnerability was discovered by Scanit's researchers Filipe
<filipe *noSPAM* scanit . net> and Rodrigo Rubira Branco (BSDaemon)
<rodrigo *noSPAM* scanit . net>.

VII. Contact

Scanit's R&D Labs represent Scanit's efforts in security research
By keeping track of the newest deffensive and offensive technologies,
researchers are able to contribute with unpublished works made in-house.
way, by driving the state-of-the-art in computer security, Scanit honors
commitment to stay in the front line of scientific evolution.

Reach us at

VIII. Disclaimer

The information contained in this document may change without notice.
Use of
this information constitutes acceptance for use in an "AS IS" condition.
are no warranties regarding the topicality, correctness, completeness or
quality of the information provided by this document. Under no
shall the authors be held liable for any direct, indirect, or
damages, losses, injuries, or unlawful offences allegedly arising from
the use
of this information.

Copyright 2008 Scanit Middle East FZ/LLC

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC