|
|
>> QNX Neutrino RTOS Multiple Local Privilege Escalation Vulnerabilities
|
Multiple vulnerabilities were identified in QNX Neutrino RTOS, which could be exploited by malicious users to obtain elevated privileges or cause a denial of service.
The first issue is due to an error in the "crttrap" command that fails to properly validate the "LD_LIBRARY_PATH" environment variable, which could be exploited by local attackers to load malicious libraries and execute arbitrary commands with "root" privileges.
The second flaw is due to a format string error in the "fontsleuth" command when processing a malformed "zeroth" argument, which could be exploited by malicious users to execute arbitrary commands with "root" privileges.
The third vulnerability is due to a stack overflow error in the libAP system library that does not properly handle an overly long "ABLPATH" or "ABLANG" environment variable, which could be exploited by local attackers to execute arbitrary commands with "root" privileges.
The fourth issue is due to a stack overflow error in the libph system library that does not properly handle an overly long "PHOTON_PATH" environment variable, which could be exploited by local attackers to execute arbitrary commands with "root" privileges.
The fifth flaw is due to a race condition where "phfont" spawns the "phfontphf" command insecurely, which could be exploited by malicious users to execute arbitrary commands with "root" privileges by manipulating the "PHFONT" and "PHOTON2_PATH" environment variables.
The sixth vulnerability is due to a stack overflow error in the "phgrafx" command that does not properly handle an overly long argument, which could be exploited by local attackers to execute arbitrary commands with "root" privileges.
The seventh issue is due to a stack overflow error in the "su" command that does not properly handle an overly long argument, which could be exploited by malicious users to execute arbitrary commands with "root" privileges.
The eighth flaw is due to an error when processing a specially crafted "echo" command, which could be exploited by local attackers to cause a denial of service.
The ninth vulnerability is due to insecure default permissions being set on the file "/etc/rc.d/rc.local", which could be exploited by local attackers to execute arbitrary commands with "root" privileges.
The tenth issue is due to a buffer overflow error in the "passwd" command that does not properly handle an overly long argument, which could be exploited by malicious users to execute arbitrary commands with "root" privileges.
Affected Products
QNX Neutrino RTOS version 6.3.0 and prior
Solution
VUPEN Security is not aware of any vendor-supplied patch.
References
http://www.vupen.com/english/advisories/2006/0474
http://www.frsirt.com/english/reference/5576
http://www.frsirt.com/english/reference/5577
http://www.frsirt.com/english/reference/5578
http://www.frsirt.com/english/reference/5580
http://www.frsirt.com/english/reference/5581
http://www.frsirt.com/english/reference/5582
http://www.frsirt.com/english/reference/5583
http://www.frsirt.com/english/reference/5593
http://www.frsirt.com/english/reference/5594
http://www.frsirt.com/english/reference/5595
Credits
Vulnerabilities reported by Filipe Balestra, Knud Højgaard, Texonet and iDEFENSE.
ChangeLog
2006-02-08 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
