QNX Stack Overflow in phgrafx Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID: 1020411|
SecurityTracker URL: http://securitytracker.com/id/1020411
(Links to External Site)
Updated: Jul 17 2008|
Original Entry Date: Jul 2 2008
Execution of arbitrary code via local system, User access via local system|
Vendor Confirmed: Yes |
A vulnerability was reported in QNX. A local user can obtain elevated privileges on the target system.|
A local user can trigger a buffer overflow in '/usr/photon/bin/phgrafx' to execute arbitrary code with root privileges on the target system.
A specially crafted '*.pal' filename in the 'palette' directory can trigger the stack overflow.
The vendor was notified on March 24, 2008.
Filipe Balestra and Rodrigo Rubira Branco of Scanit R&D Labs reported this vulnerability.
A local user can obtain root privileges on the target system.|
No solution was available at the time of this entry.|
The vendor indicates that, as a workaround, you can remove the set user id (setuid) bit from the affected binary.
The vendor plans to remove this binary from future versions of the product.
Vendor URL: www.qnx.com/ (Links to External Site)
Source Message Contents
Subject: [Full-disclosure] [SCANIT-2008-001] QNX phgrafx Privilege|
QNX phgrafx Privilege Escalation Vulnerability
Scanit R&D Labs Security Advisory
Jun 30, 2008
SCANIT ID: SCANIT-2008-001
Published: June 30th, 2008
QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time
operating system designed for use in embedded systems. From QNX's
"Companies worldwide like Cisco, Delphi, Siemens, Alcatel and Texaco
the QNX technology for network routers, medical devices, intelligent
transportation systems, safety and security systems, next-generation
robotics, and other mission-critical applications. In addition, QNX
forms the core for Ford Motor Co.'s Lincoln Aviator IAV, an
engineering concept vehicle. The new system supports the development
of next-generation in-car communications, infotainment, and
telematics applications." More information is available at
Local exploration of a buffer overflow vulnerability inside
/usr/photon/bin/phgrafx included by default in QNX RTOS latest
version (6.3.2) could allow an attacker to gain root privileges.
II. Affected Products
Scanit has confirmed the existence of this vulnerability in QNX RTOS
QNX RTOS 6.3.0. Probably previous versions are vulnerable too.
The vulnerability itself exists due to improper handling of the
PHOTON_PATH/palette/*.pal file. When a filename greater than
285 characters is created with the extension .pal in the directory
a stack-based overflow occurs, allowing the attacker to control program
# cd /tmp
# mkdir palette
# cd palette
# touch `perl -e 'print "A" x 290 . ".pal"'`
Memory fault (core dumped)
According to the vendor's response:
"QNX Software Systems confirms this vulnerability in Momentics 6.3.2 and
earlier versions. The phgrafx binary is to be deprecated in future
releases. For the time being, it is recommended that the user clear the
set user ID bit from the file permissions. If this is done, only the
root user may change the graphics configuration."
February 20th, 2008 - Vulnerability discovery
March 24th, 2008 - First contact attempt
March 27th, 2008 - Vendor response
June 30th, 2008 - Advisory release
This vulnerability was discovered by Scanit's researchers Filipe
<filipe *noSPAM* scanit . net> and Rodrigo Rubira Branco (BSDaemon)
<rodrigo *noSPAM* scanit . net>.
Scanit's R&D Labs represent Scanit's efforts in security research
By keeping track of the newest deffensive and offensive technologies,
researchers are able to contribute with unpublished works made in-house.
way, by driving the state-of-the-art in computer security, Scanit honors
commitment to stay in the front line of scientific evolution.
Reach us at firstname.lastname@example.org
The information contained in this document may change without notice.
this information constitutes acceptance for use in an "AS IS" condition.
are no warranties regarding the topicality, correctness, completeness or
quality of the information provided by this document. Under no
shall the authors be held liable for any direct, indirect, or
damages, losses, injuries, or unlawful offences allegedly arising from
of this information.
Copyright 2008 Scanit Middle East FZ/LLC
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Go to the Top of This SecurityTracker Archive Page