OSVDB ID: 22964

Title: QNX Neutrino RTOS libph Library PHOTON_PATH Environment Variable Local Overflow

Info

Disclosure

Feb 07, 2006

Discovery

Dec 15, 2005

Dates

Exploit

Unknown

Solution

Unknown

Description

QNX Neutrino RTOS contains a flaw that may allow a local attacker to elevate their privileges. The issue is due to the improper handling of environment variables in the libph library (used by many applications in the Photon API package). The libph system library (libph.so.3) does not check the bounds on user-supplied input to the PHOTON_PATH variable allowing a user to overflow the setitem() function, which will execute arbitrary code under the privilege of the utility calling the library. Since many of the applications linked against libph.so.3 are SUID, there are many vectors for using this to leverage privileged access.

Classification

Location: Local Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Rumored

Solution

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: remove the setuid bit from any programs linked to libph.so.3

Products

QNX Software Systems

QNX Neutrino RTOS

6.3.0

References

Security Tracker: 1015599
Secunia Advisory ID: 18750
CVE ID: 2006-0619 (see also: NVD)
ISS X-Force ID: 24557
VUPEN Advisory: ADV-2006-0474
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0117.html
Other Advisory URL: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=382
Vendor URL: http://www.qnx.com/products/rtos/

Credit

Filipe Balestra - filipebalestra.com.br -

Direct URL: http://osvdb.org/22964