SlideShare une entreprise Scribd logo

Hacking QNX

R
ricardomcm
Technologie
1  sur  24
Télécharger pour lire hors ligne
Hacking Confraria de Segurança da Informação 27 Nov 2013
root@localhost:~# whoami • Ricardo Mourato • Pentester @ SysValue • Former SW engineer • Like to: • Hack Stuff • Code C,Python,Ruby,Java,C# • Slackware! • Drink: • Stout • Staropramen • Stella Artois • Hate: • Printers, Unless networked • Perl root@localhost:~#
Disclaimer: You know, i’m not responsible for your:
What this talk is about: • An introduction to QNX RTOS • Where Would You Expect To Find QNX • QNX in Numbers • More About QNX • How it Looks • QNX Network Services • QNX Qnet protocol • Exploiting QNX Weaknesses Remotley & Locally (<- demo )
What is QNX (Neutrino): • Multiuser & Multitask Mission Critical RTOS; • Developed by QNX Software, later acquired by Research in Motion, Now BlackBerry; • Targets are mostly embedded systems; • Microkernel driven; • This means: • Every failure prone component lives outside of kernelspace • Components, such as Drivers, Protocol Stacks, Filesystems, Applications;
What is QNX Neutrino (cont): • Runs on Multiple Arch’s: ARM,MIPS, PowerPC, x86, etc; • Not Linux nor Unix; • POSIX standard (1003.1-2001 POSIX.1) 
What is QNX Neutrino (cont): Source: http://www.qnx.com/
Where Would You Expect To Find QNX: “QNX is used in systems where the cost of failure is very high“ Dan Dodge (QNX CEO)
Where Would You Expect To Find QNX (cont): • Medical Equipment; • Industrial Robots; • Professional DVR’s; • Storage Appliances; • Network Equipment; <- Cisco CRS-1  • RAID Controllers; • Spacecraft & Aircraft; • Nuclear Power Plants;
Where Would You Expect To Find QNX (cont): • Blackberry PlayBook, Z10, Z30, Q5, Q10, etc; • Luxury & High-end Cars (Porshe, Bentley, Lexus, Mercedes, etc; • University Students “Quite Expensive" NAS; • Many Others.
QNX in Numbers: • Shodanhq: • 2 QNX hosts; • Internet Census: • ~ 74 Internet Exposed hosts; • No Nuclear Power Plants, though  • Private/Local networks?
More About QNX: • Photon (GUI) • Uses Neutrino messages in order to create highly responsive user experience; • Made of the following components: • Photon server; • graphics subsystem manager and hardware driver; • font support; • input support; • user applications;
More About QNX (cont): • Multimedia • “Media Player Plugins” • Plays/Decodes: • MPEG-1, MPEG-2, MPEG-2.5, MP3, WAV, AIFF • Widgets Library; • Etc.
More About QNX (cont):
More About QNX (cont): “By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car's stereo, this song could alter the firmware of the car's stereo system, giving attackers an entry point to change other components on the car” Remember “Media Player Plugins” ? 
How it Looks:
How it Looks:
How it Looks (Pentester’s view)
QNX Network Services (Usually Default): • Telnet • Allows root login, if you know the password • Unprivileged joe account? Try ./KissMyHash  (later on demo) • FTP • Does not allow root login. You’re able to travel “/”, again, if you know the password. • QCONN • Kind of remote debug/profiling bridge for IDE’s • Allows root login, even if you don’t know the password 
QNX Qnet Protocol • Transparent Distributed Processing Platform; • Groups QNX systems or CPU’s (nodes) into na integrated network; • A QNX node can access resources on other nodes, transparently. • Resources can be: • Files; • Devices; • Processes <-  • Same goes for IPC
Demo Meet the Live Demo Gremlin, he just sits and waits Then Leaves…
References: [1] "30 Ways QNX Touches Your Life", Internet: http://www.qnx.com/company/30ways/ [2] "Customers", Internet: http://www.qnx.com/company/customer_stories/http://www.qnx.com [3] "QNX Neutrino RTOS", Internet: http://www.qnx.com/products/neutrino-rtos/neutrino-rtos.html [4] "A Look At The Near Future Of In-Car Technology: QNX CAR 2", Internet: http://www.washingtonpost.com/cars/a-look-at-the-near-future-of-in-car-technology-qnx-car- 2/2012/09/19/a3266bf0-0262-11e2-9132-f2750cd65f97_story.html [5] "Nuclear plant powers up on real-time OS", Internet: http://www.itbusiness.ca/news/nuclear- plant-powers-up-on-real-time-os/9084 [6] "Review: BlackBerry PlayBook (o verdadeiro tablet 2.0 :))", Internet: http://itweb.com.br/blogs/review-blackberry-playbook-o-verdadeiro-tablet-2-0/ [7] "Pentesting QNX Neutrino RTOS", Internet: http://www.fishnetsecurity.com/6labs/blog/pentesting- qnx-neutrino-rtos [8] "QNX QCONN Remote Command Execution Vulnerability", Internet: http://www.rapid7.com/db/modules/exploit/unix/misc/qnx_qconn_exec [9] "With hacking, music can take control of your car", Internet: http://www.itworld.com/security/139794/with-hacking-music-can-take-control-your-car [10] "Transparent Distributed Processing Using Qnet", Internet: http://www.qnx.com/developers/docs/6.3.2/neutrino/prog/qnet.html [11] "on", Internet: http://www.qnx.com/developers/docs/6.3.2/neutrino/utilities/o/on.html
Q&A
Hacking QNX

Recommandé

Qnx os
Qnx os Qnx os
Qnx os Student
 
QNX Software Systems
QNX Software SystemsQNX Software Systems
QNX Software SystemsRobert-Emmanuel Mayssat
 
Review of QNX
Review of QNXReview of QNX
Review of QNXRobert-Emmanuel Mayssat
 
QNX Sales Engineering Presentation
QNX Sales Engineering PresentationQNX Sales Engineering Presentation
QNX Sales Engineering PresentationRobert-Emmanuel Mayssat
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part IIEmertxe Information Technologies Pvt Ltd
 
QNX Neutrino RTOS
QNX Neutrino RTOSQNX Neutrino RTOS
QNX Neutrino RTOSlccasagrande
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-timeNational Cheng Kung University
 
Linux programming - Getting self started
Linux programming - Getting self started Linux programming - Getting self started
Linux programming - Getting self started Emertxe Information Technologies Pvt Ltd
 

Recommandé

Qnx os
Qnx os Qnx os
Qnx os Student
 
QNX Software Systems
QNX Software SystemsQNX Software Systems
QNX Software SystemsRobert-Emmanuel Mayssat
 
Review of QNX
Review of QNXReview of QNX
Review of QNXRobert-Emmanuel Mayssat
 
QNX Sales Engineering Presentation
QNX Sales Engineering PresentationQNX Sales Engineering Presentation
QNX Sales Engineering PresentationRobert-Emmanuel Mayssat
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part IIEmertxe Information Technologies Pvt Ltd
 
QNX Neutrino RTOS
QNX Neutrino RTOSQNX Neutrino RTOS
QNX Neutrino RTOSlccasagrande
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-timeNational Cheng Kung University
 
Linux programming - Getting self started
Linux programming - Getting self started Linux programming - Getting self started
Linux programming - Getting self started Emertxe Information Technologies Pvt Ltd
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking MechanismsKernel TLV
 
K8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingK8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingPiotr Perzyna
 
Uboot startup sequence
Uboot startup sequenceUboot startup sequence
Uboot startup sequenceHoucheng Lin
 
Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Linux Internals - Part IEmertxe Information Technologies Pvt Ltd
 
Linux Kernel Overview
Linux Kernel OverviewLinux Kernel Overview
Linux Kernel OverviewAnil Kumar Pugalia
 
A Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsA Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsPriyanka Aash
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)RuggedBoardGroup
 
Developing Automotive Linux
Developing Automotive LinuxDeveloping Automotive Linux
Developing Automotive LinuxAlison Chaiken
 
Linux Internals - Part III
Linux Internals - Part IIILinux Internals - Part III
Linux Internals - Part IIIEmertxe Information Technologies Pvt Ltd
 
Xvisor: embedded and lightweight hypervisor
Xvisor: embedded and lightweight hypervisorXvisor: embedded and lightweight hypervisor
Xvisor: embedded and lightweight hypervisorNational Cheng Kung University
 
Embedded Android : System Development - Part IV
Embedded Android : System Development - Part IVEmbedded Android : System Development - Part IV
Embedded Android : System Development - Part IVEmertxe Information Technologies Pvt Ltd
 
Yet another introduction to Linux RCU
Yet another introduction to Linux RCUYet another introduction to Linux RCU
Yet another introduction to Linux RCUViller Hsiao
 
Linux Systems: Getting started with setting up an Embedded platform
Linux Systems: Getting started with setting up an Embedded platformLinux Systems: Getting started with setting up an Embedded platform
Linux Systems: Getting started with setting up an Embedded platformEmertxe Information Technologies Pvt Ltd
 
Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)Novell
 
Linux PCI device driver
Linux PCI device driverLinux PCI device driver
Linux PCI device driver艾鍗科技
 
Embedded Android : System Development - Part IV (Android System Services)
Embedded Android : System Development - Part IV (Android System Services)Embedded Android : System Development - Part IV (Android System Services)
Embedded Android : System Development - Part IV (Android System Services)Emertxe Information Technologies Pvt Ltd
 
Linux Programming
Linux ProgrammingLinux Programming
Linux ProgrammingEmertxe Information Technologies Pvt Ltd
 
Linux introduction
Linux introductionLinux introduction
Linux introductionMd. Zahid Hossain Shoeb
 
Embedded Operating System - Linux
Embedded Operating System - LinuxEmbedded Operating System - Linux
Embedded Operating System - LinuxEmertxe Information Technologies Pvt Ltd
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernelguest547d74
 
Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Lorenzo Miniero
 
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) [발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) 동현 김
 

Contenu connexe

Tendances

Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking MechanismsKernel TLV
 
K8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingK8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingPiotr Perzyna
 
Uboot startup sequence
Uboot startup sequenceUboot startup sequence
Uboot startup sequenceHoucheng Lin
 
A Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsA Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsPriyanka Aash
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)RuggedBoardGroup
 
Developing Automotive Linux
Developing Automotive LinuxDeveloping Automotive Linux
Developing Automotive LinuxAlison Chaiken
 
Yet another introduction to Linux RCU
Yet another introduction to Linux RCUYet another introduction to Linux RCU
Yet another introduction to Linux RCUViller Hsiao
 
Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)Novell
 
Linux PCI device driver
Linux PCI device driverLinux PCI device driver
Linux PCI device driver艾鍗科技
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernelguest547d74
 

Tendances (20)

Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking Mechanisms
 
K8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingK8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals Training
 
Uboot startup sequence
Uboot startup sequenceUboot startup sequence
Uboot startup sequence
 
Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Linux Internals - Part I
 
Linux Kernel Overview
Linux Kernel OverviewLinux Kernel Overview
Linux Kernel Overview
 
A Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsA Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm Basebands
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)
 
Developing Automotive Linux
Developing Automotive LinuxDeveloping Automotive Linux
Developing Automotive Linux
 
Linux Internals - Part III
Linux Internals - Part IIILinux Internals - Part III
Linux Internals - Part III
 
Xvisor: embedded and lightweight hypervisor
Xvisor: embedded and lightweight hypervisorXvisor: embedded and lightweight hypervisor
Xvisor: embedded and lightweight hypervisor
 
Embedded Android : System Development - Part IV
Embedded Android : System Development - Part IVEmbedded Android : System Development - Part IV
Embedded Android : System Development - Part IV
 
Yet another introduction to Linux RCU
Yet another introduction to Linux RCUYet another introduction to Linux RCU
Yet another introduction to Linux RCU
 
Linux Systems: Getting started with setting up an Embedded platform
Linux Systems: Getting started with setting up an Embedded platformLinux Systems: Getting started with setting up an Embedded platform
Linux Systems: Getting started with setting up an Embedded platform
 
Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)
 
Linux PCI device driver
Linux PCI device driverLinux PCI device driver
Linux PCI device driver
 
Embedded Android : System Development - Part IV (Android System Services)
Embedded Android : System Development - Part IV (Android System Services)Embedded Android : System Development - Part IV (Android System Services)
Embedded Android : System Development - Part IV (Android System Services)
 
Linux Programming
Linux ProgrammingLinux Programming
Linux Programming
 
Linux introduction
Linux introductionLinux introduction
Linux introduction
 
Embedded Operating System - Linux
Embedded Operating System - LinuxEmbedded Operating System - Linux
Embedded Operating System - Linux
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernel
 

Similaire à Hacking QNX

Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Lorenzo Miniero
 
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) [발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) 동현 김
 
La apuesta de Telefónica por la cloud privada
La apuesta de Telefónica por la cloud privadaLa apuesta de Telefónica por la cloud privada
La apuesta de Telefónica por la cloud privadaLibreCon
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDN
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDNTech Tutorial by Vikram Dham: Let's build MPLS router using SDN
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDNnvirters
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red HatShawn Wells
 
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)Jakub Botwicz
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence Sam Bowne
 
Freebsd, the unknown giant
Freebsd, the unknown giantFreebsd, the unknown giant
Freebsd, the unknown giantGLC Networks
 
OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr David Lenwell
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
Opening last bits of the infrastructure
Opening last bits of the infrastructureOpening last bits of the infrastructure
Opening last bits of the infrastructureErwan Velu
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Cloudflare
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkAmmar WK
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 

Similaire à Hacking QNX (20)

Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020
 
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) [발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
 
EOS
EOSEOS
EOS
 
La apuesta de Telefónica por la cloud privada
La apuesta de Telefónica por la cloud privadaLa apuesta de Telefónica por la cloud privada
La apuesta de Telefónica por la cloud privada
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
 
Security tools
Security toolsSecurity tools
Security tools
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDN
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDNTech Tutorial by Vikram Dham: Let's build MPLS router using SDN
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDN
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat
 
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
Freebsd, the unknown giant
Freebsd, the unknown giantFreebsd, the unknown giant
Freebsd, the unknown giant
 
OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Opening last bits of the infrastructure
Opening last bits of the infrastructureOpening last bits of the infrastructure
Opening last bits of the infrastructure
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
 
How we use Twisted in Launchpad
How we use Twisted in LaunchpadHow we use Twisted in Launchpad
How we use Twisted in Launchpad
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 network
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
 

Dernier

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Dernier (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

Hacking QNX

  • 1. Hacking Confraria de Segurança da Informação 27 Nov 2013
  • 2. root@localhost:~# whoami • Ricardo Mourato • Pentester @ SysValue • Former SW engineer • Like to: • Hack Stuff • Code C,Python,Ruby,Java,C# • Slackware! • Drink: • Stout • Staropramen • Stella Artois • Hate: • Printers, Unless networked • Perl root@localhost:~#
  • 3. Disclaimer: You know, i’m not responsible for your:
  • 4. What this talk is about: • An introduction to QNX RTOS • Where Would You Expect To Find QNX • QNX in Numbers • More About QNX • How it Looks • QNX Network Services • QNX Qnet protocol • Exploiting QNX Weaknesses Remotley & Locally (<- demo )
  • 5. What is QNX (Neutrino): • Multiuser & Multitask Mission Critical RTOS; • Developed by QNX Software, later acquired by Research in Motion, Now BlackBerry; • Targets are mostly embedded systems; • Microkernel driven; • This means: • Every failure prone component lives outside of kernelspace • Components, such as Drivers, Protocol Stacks, Filesystems, Applications;
  • 6. What is QNX Neutrino (cont): • Runs on Multiple Arch’s: ARM,MIPS, PowerPC, x86, etc; • Not Linux nor Unix; • POSIX standard (1003.1-2001 POSIX.1) 
  • 7. What is QNX Neutrino (cont): Source: http://www.qnx.com/
  • 8. Where Would You Expect To Find QNX: “QNX is used in systems where the cost of failure is very high“ Dan Dodge (QNX CEO)
  • 9. Where Would You Expect To Find QNX (cont): • Medical Equipment; • Industrial Robots; • Professional DVR’s; • Storage Appliances; • Network Equipment; <- Cisco CRS-1  • RAID Controllers; • Spacecraft & Aircraft; • Nuclear Power Plants;
  • 10. Where Would You Expect To Find QNX (cont): • Blackberry PlayBook, Z10, Z30, Q5, Q10, etc; • Luxury & High-end Cars (Porshe, Bentley, Lexus, Mercedes, etc; • University Students “Quite Expensive" NAS; • Many Others.
  • 11. QNX in Numbers: • Shodanhq: • 2 QNX hosts; • Internet Census: • ~ 74 Internet Exposed hosts; • No Nuclear Power Plants, though  • Private/Local networks?
  • 12. More About QNX: • Photon (GUI) • Uses Neutrino messages in order to create highly responsive user experience; • Made of the following components: • Photon server; • graphics subsystem manager and hardware driver; • font support; • input support; • user applications;
  • 13. More About QNX (cont): • Multimedia • “Media Player Plugins” • Plays/Decodes: • MPEG-1, MPEG-2, MPEG-2.5, MP3, WAV, AIFF • Widgets Library; • Etc.
  • 14. More About QNX (cont):
  • 15. More About QNX (cont): “By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car's stereo, this song could alter the firmware of the car's stereo system, giving attackers an entry point to change other components on the car” Remember “Media Player Plugins” ? 
  • 18. How it Looks (Pentester’s view)
  • 19. QNX Network Services (Usually Default): • Telnet • Allows root login, if you know the password • Unprivileged joe account? Try ./KissMyHash  (later on demo) • FTP • Does not allow root login. You’re able to travel “/”, again, if you know the password. • QCONN • Kind of remote debug/profiling bridge for IDE’s • Allows root login, even if you don’t know the password 
  • 20. QNX Qnet Protocol • Transparent Distributed Processing Platform; • Groups QNX systems or CPU’s (nodes) into na integrated network; • A QNX node can access resources on other nodes, transparently. • Resources can be: • Files; • Devices; • Processes <-  • Same goes for IPC
  • 21. Demo Meet the Live Demo Gremlin, he just sits and waits Then Leaves…
  • 22. References: [1] "30 Ways QNX Touches Your Life", Internet: http://www.qnx.com/company/30ways/ [2] "Customers", Internet: http://www.qnx.com/company/customer_stories/http://www.qnx.com [3] "QNX Neutrino RTOS", Internet: http://www.qnx.com/products/neutrino-rtos/neutrino-rtos.html [4] "A Look At The Near Future Of In-Car Technology: QNX CAR 2", Internet: http://www.washingtonpost.com/cars/a-look-at-the-near-future-of-in-car-technology-qnx-car- 2/2012/09/19/a3266bf0-0262-11e2-9132-f2750cd65f97_story.html [5] "Nuclear plant powers up on real-time OS", Internet: http://www.itbusiness.ca/news/nuclear- plant-powers-up-on-real-time-os/9084 [6] "Review: BlackBerry PlayBook (o verdadeiro tablet 2.0 :))", Internet: http://itweb.com.br/blogs/review-blackberry-playbook-o-verdadeiro-tablet-2-0/ [7] "Pentesting QNX Neutrino RTOS", Internet: http://www.fishnetsecurity.com/6labs/blog/pentesting- qnx-neutrino-rtos [8] "QNX QCONN Remote Command Execution Vulnerability", Internet: http://www.rapid7.com/db/modules/exploit/unix/misc/qnx_qconn_exec [9] "With hacking, music can take control of your car", Internet: http://www.itworld.com/security/139794/with-hacking-music-can-take-control-your-car [10] "Transparent Distributed Processing Using Qnet", Internet: http://www.qnx.com/developers/docs/6.3.2/neutrino/prog/qnet.html [11] "on", Internet: http://www.qnx.com/developers/docs/6.3.2/neutrino/utilities/o/on.html
  • 23. Q&A