QNX phgrafx Privilege Escalation Vulnerability Scanit R&D Labs Security Advisory http://www.scanit.net/rd/advisories/ Jun 30, 2008 Filename: SCANIT-2008-001.txt SCANIT ID: SCANIT-2008-001 Published: June 30th, 2008 I. Summary QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time operating system designed for use in embedded systems. From QNX's website: "Companies worldwide like Cisco, Delphi, Siemens, Alcatel and Texaco depend on the QNX technology for network routers, medical devices, intelligent transportation systems, safety and security systems, next-generation robotics, and other mission-critical applications. In addition, QNX forms the core for Ford Motor Co.'s Lincoln Aviator IAV, an engineering concept vehicle. The new system supports the development of next-generation in-car communications, infotainment, and telematics applications." More information is available at http://www.qnx.com/products/rtos/. Local exploration of a buffer overflow vulnerability inside /usr/photon/bin/phgrafx included by default in QNX RTOS latest version (6.3.2) could allow an attacker to gain root privileges. II. Affected Products Scanit has confirmed the existence of this vulnerability in QNX RTOS 6.3.2 and QNX RTOS 6.3.0. Probably previous versions are vulnerable too. III. Details The vulnerability itself exists due to improper handling of the PHOTON_PATH/palette/*.pal file. When a filename greater than 285 characters is created with the extension .pal in the directory "palette", a stack-based overflow occurs, allowing the attacker to control program flow. # PHOTON_PATH=/tmp # cd /tmp # mkdir palette # cd palette # touch `perl -e 'print "A" x 290 . ".pal"'` # /usr/photon/bin/phgrafx Memory fault (core dumped) # IV. Solution According to the vendor's response: "QNX Software Systems confirms this vulnerability in Momentics 6.3.2 and earlier versions. The phgrafx binary is to be deprecated in future releases. For the time being, it is recommended that the user clear the set user ID bit from the file permissions. If this is done, only the root user may change the graphics configuration." V. Timeline February 20th, 2008 - Vulnerability discovery March 24th, 2008 - First contact attempt March 27th, 2008 - Vendor response June 30th, 2008 - Advisory release VI. Credits This vulnerability was discovered by Scanit's researchers Filipe Balestra <filipe *noSPAM* scanit . net> and Rodrigo Rubira Branco (BSDaemon) <rodrigo *noSPAM* scanit . net>. VII. Contact Scanit's R&D Labs represent Scanit's efforts in security research activities. By keeping track of the newest deffensive and offensive technologies, Scanit's researchers are able to contribute with unpublished works made in-house. This way, by driving the state-of-the-art in computer security, Scanit honors its commitment to stay in the front line of scientific evolution. Reach us at research (at) scanit (dot) net [email concealed] Visit http://www.scanit.net VIII. Disclaimer The information contained in this document may change without notice. Use of this information constitutes acceptance for use in an "AS IS" condition. There are no warranties regarding the topicality, correctness, completeness or quality of the information provided by this document. Under no circumstances shall the authors be held liable for any direct, indirect, or consequential damages, losses, injuries, or unlawful offences allegedly arising from the use of this information. Copyright 2008 Scanit Middle East FZ/LLC