Info

Disclosure

Feb 07, 2006

Discovery

Dec 15, 2005

Dates

Exploit

Unknown

Solution

Unknown

Description

QNX Neutrino RTOS contains a flaw that may allow a local attacker to elevate their privileges. The issue is due to the improper handling of environment variables in the libAP library (used by any PhAB-generated application). The libph system library (libAP.so.2) does not check the bounds on user-supplied input to the ABLPATH environment variable allowing a user to overflow the _ApFindTranslationFile() function, which will execute arbitrary code under the privilege of the utility calling the library. Since many of the applications linked against libAP.so.2 are SUID, there are many vectors for using this to leverage privileged access.

Classification

Location: Local Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Rumored

Solution

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: remove the setuid bit from any programs linked to the libAP.so.2 library

Products

QNX Software Systems

QNX Neutrino RTOS

6.3.0

References

Security Tracker: 1015599
Secunia Advisory ID: 18750
CVE ID: 2006-0619 (see also: NVD)
ISS X-Force ID: 24558
VUPEN Advisory: ADV-2006-0474
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0135.html
Other Advisory URL: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=381
Vendor URL: http://www.qnx.com/products/rtos/

Credit

Filipe Balestra - filipebalestra.com.br -

Direct URL: http://osvdb.org/36218