QNX phgrafx Privilege Escalation Vulnerability
Scanit R&D Labs Security Advisory
http://www.scanit.net/rd/advisories/ 
Jun 30, 2008

Filename:  SCANIT-2008-001.txt
SCANIT ID: SCANIT-2008-001
Published: June 30th, 2008


I. Summary

QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time
operating system designed for use in embedded systems. From QNX's
website:
"Companies worldwide like Cisco, Delphi, Siemens, Alcatel and Texaco
depend on
the QNX technology for network routers, medical devices, intelligent
transportation systems, safety and security systems, next-generation
robotics, and other mission-critical applications. In addition, QNX
forms the core for Ford Motor Co.'s Lincoln Aviator IAV, an
engineering concept vehicle. The new system supports the development
of next-generation in-car communications, infotainment, and
telematics applications." More information is available at
http://www.qnx.com/products/rtos/. 

Local exploration of a buffer overflow vulnerability inside
/usr/photon/bin/phgrafx included by default in QNX RTOS latest
version (6.3.2) could allow an attacker to gain root privileges.

II. Affected Products

Scanit has confirmed the existence of this vulnerability in QNX RTOS
6.3.2 and
QNX RTOS 6.3.0. Probably previous versions are vulnerable too.

III. Details

The vulnerability itself exists due to improper handling of the
PHOTON_PATH/palette/*.pal file. When a filename greater than
285 characters is created with the extension .pal in the directory
"palette",
a stack-based overflow occurs, allowing the attacker to control program
flow.

# PHOTON_PATH=/tmp
# cd /tmp
# mkdir palette
# cd palette
# touch `perl -e 'print "A" x 290 . ".pal"'`
# /usr/photon/bin/phgrafx
Memory fault (core dumped)
#

IV. Solution

According to the vendor's response:

"QNX Software Systems confirms this vulnerability in Momentics 6.3.2 and
earlier versions. The phgrafx binary is to be deprecated in future
releases. For the time being, it is recommended that the user clear the
set user ID bit from the file permissions. If this is done, only the
root user may change the graphics configuration."

V. Timeline

February 20th, 2008 - Vulnerability discovery
March 24th, 2008 - First contact attempt
March 27th, 2008 - Vendor response
June 30th, 2008 - Advisory release

VI. Credits

This vulnerability was discovered by Scanit's researchers Filipe
Balestra
 and Rodrigo Rubira Branco (BSDaemon)
.

VII. Contact

Scanit's R&D Labs represent Scanit's efforts in security research
activities.
By keeping track of the newest deffensive and offensive technologies,
Scanit's
researchers are able to contribute with unpublished works made in-house.
This
way, by driving the state-of-the-art in computer security, Scanit honors
its
commitment to stay in the front line of scientific evolution.

Reach us at research@scanit.net 
Visit http://www.scanit.net 

VIII. Disclaimer

The information contained in this document may change without notice.
Use of
this information constitutes acceptance for use in an "AS IS" condition.
There
are no warranties regarding the topicality, correctness, completeness or
quality of the information provided by this document. Under no
circumstances
shall the authors be held liable for any direct, indirect, or
consequential
damages, losses, injuries, or unlawful offences allegedly arising from
the use
of this information.


Copyright 2008 Scanit Middle East FZ/LLC