QNX Neutrino RTOS fontsleuth Local Format String

2006-02-07T08:02:54
ID OSVDB:22966
Type osvdb
Reporter iDEFENSE(idlabs-advisories@idefense.com)
Modified 2006-02-07T08:02:54

Description

Vulnerability Description

QNX Neutrino RTOS contains a flaw that may allow a local user to gain privileges. The issue is due to the fontsleuth program not sanitizing user-supplied input to the zeroth argument. By passing format specifiers such as %n and %hn, it is possible to overwrite portions of memory to run code under high privileges.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: remove the SUID bit from the binary or restrict access via group/permission control

Short Description

QNX Neutrino RTOS contains a flaw that may allow a local user to gain privileges. The issue is due to the fontsleuth program not sanitizing user-supplied input to the zeroth argument. By passing format specifiers such as %n and %hn, it is possible to overwrite portions of memory to run code under high privileges.

References:

Vendor URL: http://www.qnx.com/products/rtos/ Security Tracker: 1015599 Secunia Advisory ID:18750 Other Advisory URL: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=380 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0134.html ISS X-Force ID: 24559 FrSIRT Advisory: ADV-2006-0474 CVE-2006-0618