*** rfdslabs security advisory *** Title: QNX Photon multiple buffer overflows [RLSA_02-2004] Versions: QNX RTP 6.1 (possibly others) Vendor: QNX Software Systems <http://www.qnx.com> Date: 13 Sep 2004
Author: Julio Cesar Fort <julio at rfdslabs com br> 1. Introduction QNX Photon microGUI is the windowing system of QNX RTOS. Above are few words about Photon by qnx.com. "Unlike the limited graphics libraries offered by other realtime OSs, the QNX Photon microGUI windowing system provides a full-featured customizable foundation for creating human machine interfaces for small embedded systems. It features a rich set of reusable widgets and components, a variety of fonts, integrated support for multi-headed displays, and comprehensive multi-language support to adapt products to different geographies." (from http://www.qnx.com/products/multimedia_gui/gui.html) 2. Details Buffer overflows condictions occours in four binaries of Photon. The result of a well-succeeded exploitation is memory corruption - in other words, a high risk for local security. Once these binaries are suid and owned by root, then malicious users can obtain unauthorized root priviledges. All problems lies in '-s' (server) flag, which allows an user to chose the name of the Photon server. The vulnerable binary tries to open /dev/AAAAA... (around 94 A's are necessary to cause overflow) then it crashes. => Config for phrelay (remote connector with phindows and phditto clients) $ /usr/photon/bin/phrelay-cfg -s AAAAA[...] Memory fault (core dumped) => Localization utility, timezone, language and keyboard configurator $ /usr/photon/bin/phlocale -s AAAAA[...] Memory fault (core dumped) => QNX Package Installer $ /usr/photon/bin/pkg-installer -s AAAAA[...] Memory fault (core dumped) PS: 'pkg-installer' was replaced by 'qnxinstall' in QNX Momentics 6.2.1. => Mouse configurator and stuff $ /usr/photon/bin/input-cfg -s AAAAA[...] Memory fault (core dumped) Core files are generated in /var/dumps. 3. Solution QNX Software Systems was contacted in september 8th but vendor didn't reply. It seems they don't care much about security (they don't even have a security staff e-mail, but SALES e-mail adddress is everywhere at qnx.com!). 4. Timeline 26 Aug 2004: Vulnerabilities detected; 08 Sep 2004: rfdslabs contacts QNX: no success; Thanks to DataStorm Technologies and some stranger in mobius.qnx.com who was intersted in rfdslabs.com.br. www.rfdslabs.com.br - computers, sex, humand mind, music and more Recife, PE, Brazil ________________________________________________ Message sent using UebiMiau 2.7.2 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html