what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

QNX Neutrino RTOS 6.5.0 Privilege Escalation

QNX Neutrino RTOS 6.5.0 Privilege Escalation
Posted Mar 13, 2014
Authored by Tim Brown | Site nth-dimension.org.uk

QNX Neutrino RTOS version 6.5.0 suffers from multiple privilege escalation vulnerabilities.

tags | exploit, vulnerability
SHA-256 | e5e6ce35d1fa0f2a45836c06a404535d1ffccdb3b08407a60b96bf363dc0bd0a

QNX Neutrino RTOS 6.5.0 Privilege Escalation

Change Mirror Download
Hash: SHA256

Nth Dimension Security Advisory (NDSA20140311)
Date: 11th March 2014
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: QNX Neutrino RTOS 6.5.0
Vendor: BlackBerry <http://www.blackberry.com/>
Risk: Medium


This advisory concerns the forced disclosure of 2 vulnerabilities that were
previously disclosed to BlackBerry. Disclosure has been forced since these
vulnerabilities have been publicly disclosed (with PoC) on the exploit-db
web site.

Two local privilege escalation vulnerabilities have been identified that would
ultimately result in malicious code being executed in a trusted context. The
first allows direct code execution (http://www.exploit-db.com/exploits/32153/)
whilst the second allows for the root password to be disclosed

It should be noted that Nth Dimension do not believe that the bug collision
are due to a leak within BlackBerry but rather that these are the simply
instances of multiple researchers identifying the same vulnerable code paths.


Nth Dimension are not aware of vendor supplied patches at this moment in

Technical Details

1) The following PoC command causes id to be executed with euid 0:

$ /sbin/ifwatchd -v -u id en0

2) The following PoC command causes the first line of /etc/shadow (including the
root user's password hash to be displayed:

$ /sbin/ppoectl -f /etc/shadow


On 22th November 2012, Nth Dimension supplied a PoC exploits for each of the
vulnerabilities outlined above. BlackBerry responded to confirm that they had
received the report and were investigating.

On the 17th June 2013, Nth Dimension chased BlackBerry for an update and were
notified that BIRT2013-00001 had been assigned to to the privilege escalation

No further contact was received from BlackBerry after the 26th Julu 2013.


As of the 11th March 2014, both the privilege escalation attacks have been
disclosed by a 3rd party. In light of this and in the absence of any timely
response from BlackBerry, Nth Dimension have opted to make full details public.
Version: GnuPG v1

Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By