J-Security Center

Title: QNX Multiple Local Privilege Escalation and Denial Of Service Vulnerabilities

Severity: HIGH

Description:

QNX is a realtime operating system available both freely and for commercial use. It is distributed and maintained by QNX Software Systems Limited. The 'phgrafx' utility is a graphical display configuration tool for QNX.

QNX is susceptible to multiple local vulnerabilities.

The specific issues that allow attackers to execute arbitrary machine code or commands with superuser privileges are:

1. An insecure LD_LIBRARY_PATH vulnerability in 'crttrap'. Version 6.2.1 is affected by this issue; other versions may also be affected.

2. A format-string vulnerability in the zeroth argument of the 'fontsleuth' utility. Version 6.3.0 is affected by this issue; other versions may also be affected.

3. A buffer-overflow vulnerability in the '_ApFindTranslationFile()' function of the 'libAP' library. All applications that are PhAB-generated are affected by this issue. Multiple unspecified setuid-superuser applications are affected. This issue is triggered by an unbounded 'strcat()' function call while copying the contents of the 'ABLPATH' environment variable. Version 6.3.0 is affected by this issue; other versions may also be affected.

4. A buffer-overflow vulnerability in the 'setitem()' function of the 'libph' library. Applications that use the Photon API are affected by this issue. This issue is triggered by an unbounded 'strcpy()' function call while copying the contents of the 'PHOTON_PATH' environment variable. Version 6.3.0 is affected by this issue; other versions may also be affected.

5. A race condition exposes a vulnerability in 'phfont' as it attempts to spawn the 'phfontphf' binary. Attackers may manipulate the 'PHFONT' and 'PHOTON2_PATH' environment variables to cause their own executable to be called instead of the intended one. Version 6.2.1 is affected by this issue; other versions may also be affected;

6. A buffer-overflow vulnerability in the command-line argument processing of the 'phgrafx' binary. This issue is triggered if more than approximately 1000 bytes are passed to the utility through its first command-line argument. Version 6.2.1 is affected by this issue; other versions may also be affected.

7. Buffer-overflow vulnerabilities in the command-line argument processing of the 'su' and 'passwd' binaries. These issues are triggered if more than approximately 4000 bytes are passed to the utilities through their first command-line argument. Version 6.2.0 is affected by these issues; other versions may also be affected.

8. An insecure default-permission vulnerability in the '/etc/rc.d/rc.local' directory. This directory is installed with world-writable permissions allowing attackers to place arbitrary executables in the directory. The attacker-supplied code will be executed whenever the computer is started. Version 6.3.0 is affected by this issue; 6.0 is not reportedly affected.

A denial-of-service vulnerability also affects the operating system. By calling 'gdb' in a specific manner, the kernel becomes unresponsive and hangs, denying service to legitimate users. Version 6.3.0 is affected by this issue; 6.0 is not reportedly affected.

These issues allow local attackers to execute arbitrary machine code and commands with superuser privileges, facilitating the complete compromise of affected computers. Attackers may also crash affected computers, denying service to legitimate users.

Affected Products:

  • QNX RTOS 6.2.0
  • QNX RTOS 6.2.1
  • QNX RTOS 6.3.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.