Title: QNX RTP ftpd stat Buffer Overflow Vulnerability
Severity: MODERATE
Description:
RTP is the free version of the Real Time Operating System distributed by QNX Software Systems, Limited. It includes standard UNIX-type services, and is designed as a scalar operating system. There are currently free versions of the RTOS available from QNX for non-commercial use.
A problem has been discovered in the ftp daemon included with RTP. In source file popen.c, the following code may create a problem:
char **pop, *argv[100], *gargv[1000], *vv[2];
for (argc = 0, cp = program;; cp = NULL)
if (!(argv[argc++] = strtok(cp, " \t\n")))
break;
/* glob each piece */
gargv[0] = argv[0];
for (gargc = argc = 1; argv[argc]; argc++) {
argv[argc] = strdup(argv[argc]);
When the stat command is called, this code is executed, parsing each supplied argument through the argv[] variable.
The problem is in the static size of the argv[] variable, which takes the arguments supplied from the stat command. If a user supplies more than 100 bytes of argument to the stat command it may be possible to cause the buffer to overflow, thus allowing any code appended to it to be executed on the stack.
It is therefore possible for a remote user with malicious motives to log into the server, either by means of account or anonymous login, and potentially execute arbitrary code with the privileges of the ftpd process, or gain local privileges equal to that of the ftpd process.
Affected Products:
- QSSL QNX 4.25.0 A
- QSSL QNX RTP
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
