exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

qnx-photon_multiple_overflows.txt

qnx-photon_multiple_overflows.txt
Posted Sep 13, 2004
Authored by Julio Cesar Fort | Site rfdslabs.com.br

Various buffer overflow conditions exist in four binaries of QNX Photon.

tags | advisory, overflow
SHA-256 | 7d4fd2f4fa6f9fcbf81ffa0c9a0d491f52069de930018beb226dff49f8c43510

qnx-photon_multiple_overflows.txt

Change Mirror Download
    *** rfdslabs security advisory ***

Title: QNX Photon multiple buffer overflows [RLSA_02-2004]
Versions: QNX RTP 6.1 (possibly others)
Vendor: QNX Software Systems <https://www.qnx.com>
Date: 13 Sep 2004

Author: Julio Cesar Fort <julio at rfdslabs com br>


1. Introduction

QNX Photon microGUI is the windowing system of QNX RTOS. Above are few
words about Photon by qnx.com.

"Unlike the limited graphics libraries offered by other realtime OSs, the
QNX Photon microGUI windowing system provides a full-featured customizable
foundation for creating human machine interfaces for small embedded systems.
It features a rich set of reusable widgets and components, a variety of fonts,
integrated support for multi-headed displays, and comprehensive multi-language
support to adapt products to different geographies."
(from https://www.qnx.com/products/multimedia_gui/gui.html)

2. Details

Buffer overflows condictions occours in four binaries of Photon. The result
of a well-succeeded exploitation is memory corruption - in other words, a high
risk for local security. Once these binaries are suid and owned by root, then
malicious users can obtain unauthorized root priviledges.
All problems lies in '-s' (server) flag, which allows an user to chose the name
of the Photon server. The vulnerable binary tries to open /dev/AAAAA... (around
94 A's are necessary to cause overflow) then it crashes.

=> Config for phrelay (remote connector with phindows and phditto clients)
$ /usr/photon/bin/phrelay-cfg -s AAAAA[...]
Memory fault (core dumped)

=> Localization utility, timezone, language and keyboard configurator
$ /usr/photon/bin/phlocale -s AAAAA[...]
Memory fault (core dumped)

=> QNX Package Installer
$ /usr/photon/bin/pkg-installer -s AAAAA[...]
Memory fault (core dumped)

PS: 'pkg-installer' was replaced by 'qnxinstall' in QNX Momentics 6.2.1.

=> Mouse configurator and stuff
$ /usr/photon/bin/input-cfg -s AAAAA[...]
Memory fault (core dumped)

Core files are generated in /var/dumps.


3. Solution

QNX Software Systems was contacted in september 8th but vendor didn't reply.
It seems they don't care much about security (they don't even have a security
staff e-mail, but SALES e-mail adddress is everywhere at qnx.com!).


4. Timeline

26 Aug 2004: Vulnerabilities detected;
08 Sep 2004: rfdslabs contacts QNX: no success;

Thanks to DataStorm Technologies and some stranger in mobius.qnx.com who was
intersted in rfdslabs.com.br.

www.rfdslabs.com.br - computers, sex, humand mind, music and more
Recife, PE, Brazil
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close