QNX phgrafx Privilege Escalation Vulnerability
Scanit R&D Labs Security Advisory
Jun 30, 2008
SCANIT ID: SCANIT-2008-001
Published: June 30th, 2008
QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time
operating system designed for use in embedded systems. From QNX's
"Companies worldwide like Cisco, Delphi, Siemens, Alcatel and Texaco
the QNX technology for network routers, medical devices, intelligent
transportation systems, safety and security systems, next-generation
robotics, and other mission-critical applications. In addition, QNX
forms the core for Ford Motor Co.'s Lincoln Aviator IAV, an
engineering concept vehicle. The new system supports the development
of next-generation in-car communications, infotainment, and
telematics applications." More information is available at
Local exploration of a buffer overflow vulnerability inside
/usr/photon/bin/phgrafx included by default in QNX RTOS latest
version (6.3.2) could allow an attacker to gain root privileges.
II. Affected Products
Scanit has confirmed the existence of this vulnerability in QNX RTOS
QNX RTOS 6.3.0. Probably previous versions are vulnerable too.
The vulnerability itself exists due to improper handling of the
PHOTON_PATH/palette/*.pal file. When a filename greater than
285 characters is created with the extension .pal in the directory
a stack-based overflow occurs, allowing the attacker to control program
# cd /tmp
# mkdir palette
# cd palette
# touch `perl -e 'print "A" x 290 . ".pal"'`
Memory fault (core dumped)
According to the vendor's response:
"QNX Software Systems confirms this vulnerability in Momentics 6.3.2 and
earlier versions. The phgrafx binary is to be deprecated in future
releases. For the time being, it is recommended that the user clear the
set user ID bit from the file permissions. If this is done, only the
root user may change the graphics configuration."
February 20th, 2008 - Vulnerability discovery
March 24th, 2008 - First contact attempt
March 27th, 2008 - Vendor response
June 30th, 2008 - Advisory release
This vulnerability was discovered by Scanit's researchers Filipe
<filipe *noSPAM* scanit . net> and Rodrigo Rubira Branco (BSDaemon)
<rodrigo *noSPAM* scanit . net>.
Scanit's R&D Labs represent Scanit's efforts in security research
By keeping track of the newest deffensive and offensive technologies,
researchers are able to contribute with unpublished works made in-house.
way, by driving the state-of-the-art in computer security, Scanit honors
commitment to stay in the front line of scientific evolution.
Reach us at research (at) scanit (dot) net [email concealed]
The information contained in this document may change without notice.
this information constitutes acceptance for use in an "AS IS" condition.
are no warranties regarding the topicality, correctness, completeness or
quality of the information provided by this document. Under no
shall the authors be held liable for any direct, indirect, or
damages, losses, injuries, or unlawful offences allegedly arising from
of this information.
Copyright 2008 Scanit Middle East FZ/LLC