Vigil@nce - Qt: memory read and write via Shared Memory
February 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can access the shared memory pages, which are
created by Qt applications, in order to read or alter their
contents.
Impacted products: Fedora, Unix (platform)
Severity: 2/4
Creation date: 06/02/2013
DESCRIPTION OF THE VULNERABILITY
The shmget() system call is used to obtain a shared memory area.
Access privileges are for example 0400 or 0600 (Unix mode).
The Qt library uses shmget() twice:
– in the QSharedMemory class
– in the X11 protocol, to share data between the X server and its
clients
However, Qt defines the mode 0444 or 0666, so all local users can
read or write in these memory areas.
A local attacker can therefore access the shared memory pages,
which are created by Qt applications, in order to read or alter
their contents. He can thus obtain sensitive information, or
trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Qt-memory-read-and-write-via-Shared-Memory-12384