[NEWS] Multiple Vulnerabilities in the QNX Platform

From: SecuriTeam (support_at_securiteam.com)
Date: 09/15/04

  • Next message: SecuriTeam: "[NEWS] Lexar JumpDrive Secure Password Extraction" 
    To: list@securiteam.com
Date: 15 Sep 2004 10:58:24 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Multiple Vulnerabilities in the QNX Platform
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.qnx.com/products/rtos> QNX Software Systems has provided OS
    technology, development tools, and professional services to companies
    building mission-critical embedded systems. Since 1980 manufacturers have
    relied on QNX OS technology to power their missioncritical applications -
    everything from medical instruments and Internet routers to telematics
    devices, 9-1-1 call centers, process control applications and air traffic
    control systems. Small or large, simple or distributed, these systems
    share an unmatched reputation for operating 24 hours a day, 365 days a
    year, nonstop .

    Multiple vulnerabilities in several components in the QNX system allows a
    local or remote user to escalate privileges and run malicious machine code
    on the target machine.

    DETAILS

     * Format String Vulnerability in QNX FTP Client:
    QNX 6.1 FTP client is vulnerable to a format string in 'quote' command. If
    successfully exploited, memory corruption occurs and attackers can obtain
    'bin' group privileges. This kind of privilege can be useful for back
    dooring purposes, for example.

    Example:
    # ftp 127.0.0.1
    Connected to 127.0.0.1.
    220 sandimas FTP server (Version 5.60) ready.
    Name (127.0.0.1:root): sandimas
    331 Password required for sandimas.
    Password:
    230 User sandimas logged in.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> quote site exec "%p.%p.%p.%p"
    500 'SITE EXEC 805b730.0.0.805b180': command not understood.
    ftp> quote "%s.%s.%s.%s"
    Memory fault (core dumped)
    #

     * Multiple Buffer Overflows in Photon Graphics Library:
    Buffer overflows conditions occurs in four binaries of Photon. The result
    of a well-succeeded exploitation is memory corruption - in other words, a
    high risk for local security. Once these binaries are suid and owned by
    root, then malicious users can obtain unauthorized root privileges. All
    problems lies in '-s' (server) flag, which allows an user to chose the
    name of the Photon server. The vulnerable binary tries to open
    /dev/AAAAA... (around 94 A's are necessary to cause overflow) then it
    crashes.

    Example:
    => Config for phrelay (remote connector with phindows and phditto clients)
    $ /usr/photon/bin/phrelay-cfg -s AAAAA[...]
    Memory fault (core dumped)

    -> Localization utility, timezone, language and keyboard configurator
    $ /usr/photon/bin/phlocale -s AAAAA[...]
    Memory fault (core dumped)

    -> QNX Package Installer
    $ /usr/photon/bin/pkg-installer -s AAAAA[...]
    Memory fault (core dumped)

    PS: 'pkg-installer' was replaced by 'qnxinstall' in QNX Momentics 6.2.1.

    -> Mouse configurator and stuff
    $ /usr/photon/bin/input-cfg -s AAAAA[...]
    Memory fault (core dumped)

    Core files are generated in /var/dumps.

     * Possible Race Condition in crrtrap Video Hardware Detection Tool:
    Crttrap runs a sequence of commands before the call to 'io-graphics', an
    external program part of the Photon graphics library. Because of this,
    there is a theoretical race condition vulnerability.

    (1) /bin/cd /usr/photon/bin
    (*)
    (2) io-graphics [arguments]

    This spot (*) is where the race condition lies. If we are able to modify
    $PATH in the exact moment before crrtrap calls step 2, we could obtain
    local root privileges because it will execute 'io-graphics' (our code)
    looking for it in /tmp directory. If an attacker writes a code for a never
    ending loop changing every time $PATH and runs it into background, there
    is a theoretical possibility to modify environment and trick crttrap.

    Disclosure Timeline:
    15 Aug 2004: FTP Client vulnerability detected;
    26 Aug 2004: Photon and crrtrap vulnerabilities detected;
    08 Sep 2004: rfdslabs contacts QNX: no success

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:julio@rfdslabs.com.br> Julio
    Cesar Fort.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Lexar JumpDrive Secure Password Extraction"

    Relevant Pages