QNX Neutrino RTOS libAP ABLPATH Environment Variable Local Overflow

2006-02-07T08:02:54
ID OSVDB:22965
Type osvdb
Reporter Filipe Balestra(filipe@balestra.com.br)
Modified 2006-02-07T08:02:54

Description

Vulnerability Description

QNX Neutrino RTOS contains a flaw that may allow a local attacker to elevate their privileges. The issue is due to the improper handling of environment variables in the libAP library (used by any PhAB-generated application). The libph system library (libAP.so.2) does not check the bounds on user-supplied input to the ABLPATH environment variable allowing a user to overflow the _ApFindTranslationFile() function, which will execute arbitrary code under the privilege of the utility calling the library. Since many of the applications linked against libAP.so.2 are SUID, there are many vectors for using this to leverage privileged access.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: remove the setuid bit from any programs linked to the libAP.so.2 library

Short Description

QNX Neutrino RTOS contains a flaw that may allow a local attacker to elevate their privileges. The issue is due to the improper handling of environment variables in the libAP library (used by any PhAB-generated application). The libph system library (libAP.so.2) does not check the bounds on user-supplied input to the ABLPATH environment variable allowing a user to overflow the _ApFindTranslationFile() function, which will execute arbitrary code under the privilege of the utility calling the library. Since many of the applications linked against libAP.so.2 are SUID, there are many vectors for using this to leverage privileged access.

References:

Vendor URL: http://www.qnx.com/products/rtos/ Security Tracker: 1015599 Secunia Advisory ID:18750 Other Advisory URL: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=381 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0135.html ISS X-Force ID: 24558 FrSIRT Advisory: ADV-2006-0474 CVE-2006-0619