[RLSA_02-2004] QNX Photon multiple buffer overflows
*** rfdslabs security advisory ***
Title: QNX Photon multiple buffer overflows [RLSA_02-2004]
Versions: QNX RTP 6.1 (possibly others)
Vendor: QNX Software Systems <http://www.qnx.com>
Date: 13 Sep 2004
Author: Julio Cesar Fort <julio at rfdslabs com br>
1. Introduction
QNX Photon microGUI is the windowing system of QNX RTOS. Above are few
words about Photon by qnx.com.
"Unlike the limited graphics libraries offered by other realtime OSs, the
QNX Photon microGUI windowing system provides a full-featured customizable
foundation for creating human machine interfaces for small embedded systems.
It features a rich set of reusable widgets and components, a variety of fonts,
integrated support for multi-headed displays, and comprehensive multi-language
support to adapt products to different geographies."
(from http://www.qnx.com/products/multimedia_gui/gui.html)
2. Details
Buffer overflows condictions occours in four binaries of Photon. The result
of a well-succeeded exploitation is memory corruption - in other words, a high
risk for local security. Once these binaries are suid and owned by root, then
malicious users can obtain unauthorized root priviledges.
All problems lies in '-s' (server) flag, which allows an user to chose the name
of the Photon server. The vulnerable binary tries to open /dev/AAAAA... (around
94 A's are necessary to cause overflow) then it crashes.
=> Config for phrelay (remote connector with phindows and phditto clients)
$ /usr/photon/bin/phrelay-cfg -s AAAAA[...]
Memory fault (core dumped)
=> Localization utility, timezone, language and keyboard configurator
$ /usr/photon/bin/phlocale -s AAAAA[...]
Memory fault (core dumped)
=> QNX Package Installer
$ /usr/photon/bin/pkg-installer -s AAAAA[...]
Memory fault (core dumped)
PS: 'pkg-installer' was replaced by 'qnxinstall' in QNX Momentics 6.2.1.
=> Mouse configurator and stuff
$ /usr/photon/bin/input-cfg -s AAAAA[...]
Memory fault (core dumped)
Core files are generated in /var/dumps.
3. Solution
QNX Software Systems was contacted in september 8th but vendor didn't reply.
It seems they don't care much about security (they don't even have a security
staff e-mail, but SALES e-mail adddress is everywhere at qnx.com!).
4. Timeline
26 Aug 2004: Vulnerabilities detected;
08 Sep 2004: rfdslabs contacts QNX: no success;
Thanks to DataStorm Technologies and some stranger in mobius.qnx.com who was
intersted in rfdslabs.com.br.
www.rfdslabs.com.br - computers, sex, humand mind, music and more
Recife, PE, Brazil