SlideShare une entreprise Scribd logo

Hacking QNX

R
ricardomcm
Technologie
1  sur  24
Télécharger pour lire hors ligne
Hacking Confraria de Segurança da Informação 27 Nov 2013
root@localhost:~# whoami • Ricardo Mourato • Pentester @ SysValue • Former SW engineer • Like to: • Hack Stuff • Code C,Python,Ruby,Java,C# • Slackware! • Drink: • Stout • Staropramen • Stella Artois • Hate: • Printers, Unless networked • Perl root@localhost:~#
Disclaimer: You know, i’m not responsible for your:
What this talk is about: • An introduction to QNX RTOS • Where Would You Expect To Find QNX • QNX in Numbers • More About QNX • How it Looks • QNX Network Services • QNX Qnet protocol • Exploiting QNX Weaknesses Remotley & Locally (<- demo )
What is QNX (Neutrino): • Multiuser & Multitask Mission Critical RTOS; • Developed by QNX Software, later acquired by Research in Motion, Now BlackBerry; • Targets are mostly embedded systems; • Microkernel driven; • This means: • Every failure prone component lives outside of kernelspace • Components, such as Drivers, Protocol Stacks, Filesystems, Applications;
What is QNX Neutrino (cont): • Runs on Multiple Arch’s: ARM,MIPS, PowerPC, x86, etc; • Not Linux nor Unix; • POSIX standard (1003.1-2001 POSIX.1) 
What is QNX Neutrino (cont): Source: http://www.qnx.com/
Where Would You Expect To Find QNX: “QNX is used in systems where the cost of failure is very high“ Dan Dodge (QNX CEO)
Where Would You Expect To Find QNX (cont): • Medical Equipment; • Industrial Robots; • Professional DVR’s; • Storage Appliances; • Network Equipment; <- Cisco CRS-1  • RAID Controllers; • Spacecraft & Aircraft; • Nuclear Power Plants;
Where Would You Expect To Find QNX (cont): • Blackberry PlayBook, Z10, Z30, Q5, Q10, etc; • Luxury & High-end Cars (Porshe, Bentley, Lexus, Mercedes, etc; • University Students “Quite Expensive" NAS; • Many Others.
QNX in Numbers: • Shodanhq: • 2 QNX hosts; • Internet Census: • ~ 74 Internet Exposed hosts; • No Nuclear Power Plants, though  • Private/Local networks?
More About QNX: • Photon (GUI) • Uses Neutrino messages in order to create highly responsive user experience; • Made of the following components: • Photon server; • graphics subsystem manager and hardware driver; • font support; • input support; • user applications;
More About QNX (cont): • Multimedia • “Media Player Plugins” • Plays/Decodes: • MPEG-1, MPEG-2, MPEG-2.5, MP3, WAV, AIFF • Widgets Library; • Etc.
More About QNX (cont):
More About QNX (cont): “By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car's stereo, this song could alter the firmware of the car's stereo system, giving attackers an entry point to change other components on the car” Remember “Media Player Plugins” ? 
How it Looks:
How it Looks:
How it Looks (Pentester’s view)
QNX Network Services (Usually Default): • Telnet • Allows root login, if you know the password • Unprivileged joe account? Try ./KissMyHash  (later on demo) • FTP • Does not allow root login. You’re able to travel “/”, again, if you know the password. • QCONN • Kind of remote debug/profiling bridge for IDE’s • Allows root login, even if you don’t know the password 
QNX Qnet Protocol • Transparent Distributed Processing Platform; • Groups QNX systems or CPU’s (nodes) into na integrated network; • A QNX node can access resources on other nodes, transparently. • Resources can be: • Files; • Devices; • Processes <-  • Same goes for IPC
Demo Meet the Live Demo Gremlin, he just sits and waits Then Leaves…
References: [1] "30 Ways QNX Touches Your Life", Internet: http://www.qnx.com/company/30ways/ [2] "Customers", Internet: http://www.qnx.com/company/customer_stories/http://www.qnx.com [3] "QNX Neutrino RTOS", Internet: http://www.qnx.com/products/neutrino-rtos/neutrino-rtos.html [4] "A Look At The Near Future Of In-Car Technology: QNX CAR 2", Internet: http://www.washingtonpost.com/cars/a-look-at-the-near-future-of-in-car-technology-qnx-car- 2/2012/09/19/a3266bf0-0262-11e2-9132-f2750cd65f97_story.html [5] "Nuclear plant powers up on real-time OS", Internet: http://www.itbusiness.ca/news/nuclear- plant-powers-up-on-real-time-os/9084 [6] "Review: BlackBerry PlayBook (o verdadeiro tablet 2.0 :))", Internet: http://itweb.com.br/blogs/review-blackberry-playbook-o-verdadeiro-tablet-2-0/ [7] "Pentesting QNX Neutrino RTOS", Internet: http://www.fishnetsecurity.com/6labs/blog/pentesting- qnx-neutrino-rtos [8] "QNX QCONN Remote Command Execution Vulnerability", Internet: http://www.rapid7.com/db/modules/exploit/unix/misc/qnx_qconn_exec [9] "With hacking, music can take control of your car", Internet: http://www.itworld.com/security/139794/with-hacking-music-can-take-control-your-car [10] "Transparent Distributed Processing Using Qnet", Internet: http://www.qnx.com/developers/docs/6.3.2/neutrino/prog/qnet.html [11] "on", Internet: http://www.qnx.com/developers/docs/6.3.2/neutrino/utilities/o/on.html
Q&A
Hacking QNX

Recommandé

Review of QNX
Review of QNXReview of QNX
Review of QNXRobert-Emmanuel Mayssat
 
Qnx os
Qnx os Qnx os
Qnx os Student
 
QNX Software Systems
QNX Software SystemsQNX Software Systems
QNX Software SystemsRobert-Emmanuel Mayssat
 
QNX OS
QNX OSQNX OS
QNX OSGuevarra Institute of Technology
 
QNX Sales Engineering Presentation
QNX Sales Engineering PresentationQNX Sales Engineering Presentation
QNX Sales Engineering PresentationRobert-Emmanuel Mayssat
 
Qnx os
Qnx osQnx os
Qnx osStudent
 
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...Andrei Kholodnyi
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers Emertxe Information Technologies Pvt Ltd
 

Recommandé

Review of QNX
Review of QNXReview of QNX
Review of QNXRobert-Emmanuel Mayssat
 
Qnx os
Qnx os Qnx os
Qnx os Student
 
QNX Software Systems
QNX Software SystemsQNX Software Systems
QNX Software SystemsRobert-Emmanuel Mayssat
 
QNX OS
QNX OSQNX OS
QNX OSGuevarra Institute of Technology
 
QNX Sales Engineering Presentation
QNX Sales Engineering PresentationQNX Sales Engineering Presentation
QNX Sales Engineering PresentationRobert-Emmanuel Mayssat
 
Qnx os
Qnx osQnx os
Qnx osStudent
 
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...Andrei Kholodnyi
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers Emertxe Information Technologies Pvt Ltd
 
Introduction to linux containers
Introduction to linux containersIntroduction to linux containers
Introduction to linux containersGoogle
 
From DTrace to Linux
From DTrace to LinuxFrom DTrace to Linux
From DTrace to LinuxBrendan Gregg
 
Linux for embedded_systems
Linux for embedded_systemsLinux for embedded_systems
Linux for embedded_systemsVandana Salve
 
Embedded Linux on ARM
Embedded Linux on ARMEmbedded Linux on ARM
Embedded Linux on ARMEmertxe Information Technologies Pvt Ltd
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
BusyBox for Embedded Linux
BusyBox for Embedded LinuxBusyBox for Embedded Linux
BusyBox for Embedded LinuxEmertxe Information Technologies Pvt Ltd
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernelguest547d74
 
Advanced C - Part 2
Advanced C - Part 2Advanced C - Part 2
Advanced C - Part 2Emertxe Information Technologies Pvt Ltd
 
Building Embedded Linux Systems Introduction
Building Embedded Linux Systems IntroductionBuilding Embedded Linux Systems Introduction
Building Embedded Linux Systems IntroductionSherif Mousa
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugginglibfetion
 
Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Linux Internals - Part IEmertxe Information Technologies Pvt Ltd
 
GDDR Solution Design and Implementation Techniques
GDDR Solution Design and Implementation Techniques GDDR Solution Design and Implementation Techniques
GDDR Solution Design and Implementation Techniques EMC
 
The Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car ArchitecturesThe Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car ArchitecturesReal-Time Innovations (RTI)
 
Linux Systems: Getting started with setting up an Embedded platform
Linux Systems: Getting started with setting up an Embedded platformLinux Systems: Getting started with setting up an Embedded platform
Linux Systems: Getting started with setting up an Embedded platformEmertxe Information Technologies Pvt Ltd
 
Andes RISC-V processor solutions
Andes RISC-V processor solutionsAndes RISC-V processor solutions
Andes RISC-V processor solutionsRISC-V International
 
LCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted FirmwareLCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted FirmwareLinaro
 
Introduction to FreeRTOS
Introduction to FreeRTOSIntroduction to FreeRTOS
Introduction to FreeRTOSICS
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-timeNational Cheng Kung University
 
Mastering Real-time Linux
Mastering Real-time LinuxMastering Real-time Linux
Mastering Real-time LinuxJean-François Deverge
 
Board Bringup
Board BringupBoard Bringup
Board BringupAnil Kumar Pugalia
 
Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Lorenzo Miniero
 
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) [발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) 동현 김
 

Contenu connexe

Tendances

Introduction to linux containers
Introduction to linux containersIntroduction to linux containers
Introduction to linux containersGoogle
 
From DTrace to Linux
From DTrace to LinuxFrom DTrace to Linux
From DTrace to LinuxBrendan Gregg
 
Linux for embedded_systems
Linux for embedded_systemsLinux for embedded_systems
Linux for embedded_systemsVandana Salve
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernelguest547d74
 
Building Embedded Linux Systems Introduction
Building Embedded Linux Systems IntroductionBuilding Embedded Linux Systems Introduction
Building Embedded Linux Systems IntroductionSherif Mousa
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugginglibfetion
 
GDDR Solution Design and Implementation Techniques
GDDR Solution Design and Implementation Techniques GDDR Solution Design and Implementation Techniques
GDDR Solution Design and Implementation Techniques EMC
 
The Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car ArchitecturesThe Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car ArchitecturesReal-Time Innovations (RTI)
 
LCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted FirmwareLCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted FirmwareLinaro
 
Introduction to FreeRTOS
Introduction to FreeRTOSIntroduction to FreeRTOS
Introduction to FreeRTOSICS
 

Tendances (20)

Introduction to linux containers
Introduction to linux containersIntroduction to linux containers
Introduction to linux containers
 
From DTrace to Linux
From DTrace to LinuxFrom DTrace to Linux
From DTrace to Linux
 
Linux for embedded_systems
Linux for embedded_systemsLinux for embedded_systems
Linux for embedded_systems
 
Embedded Linux on ARM
Embedded Linux on ARMEmbedded Linux on ARM
Embedded Linux on ARM
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
 
BusyBox for Embedded Linux
BusyBox for Embedded LinuxBusyBox for Embedded Linux
BusyBox for Embedded Linux
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernel
 
Advanced C - Part 2
Advanced C - Part 2Advanced C - Part 2
Advanced C - Part 2
 
Building Embedded Linux Systems Introduction
Building Embedded Linux Systems IntroductionBuilding Embedded Linux Systems Introduction
Building Embedded Linux Systems Introduction
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Linux Internals - Part I
 
GDDR Solution Design and Implementation Techniques
GDDR Solution Design and Implementation Techniques GDDR Solution Design and Implementation Techniques
GDDR Solution Design and Implementation Techniques
 
The Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car ArchitecturesThe Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car Architectures
 
Linux Systems: Getting started with setting up an Embedded platform
Linux Systems: Getting started with setting up an Embedded platformLinux Systems: Getting started with setting up an Embedded platform
Linux Systems: Getting started with setting up an Embedded platform
 
Andes RISC-V processor solutions
Andes RISC-V processor solutionsAndes RISC-V processor solutions
Andes RISC-V processor solutions
 
LCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted FirmwareLCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted Firmware
 
Introduction to FreeRTOS
Introduction to FreeRTOSIntroduction to FreeRTOS
Introduction to FreeRTOS
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
 
Mastering Real-time Linux
Mastering Real-time LinuxMastering Real-time Linux
Mastering Real-time Linux
 
Board Bringup
Board BringupBoard Bringup
Board Bringup
 

Similaire à Hacking QNX

Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Lorenzo Miniero
 
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) [발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) 동현 김
 
La apuesta de Telefónica por la cloud privada
La apuesta de Telefónica por la cloud privadaLa apuesta de Telefónica por la cloud privada
La apuesta de Telefónica por la cloud privadaLibreCon
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDN
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDNTech Tutorial by Vikram Dham: Let's build MPLS router using SDN
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDNnvirters
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red HatShawn Wells
 
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)Jakub Botwicz
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence Sam Bowne
 
Freebsd, the unknown giant
Freebsd, the unknown giantFreebsd, the unknown giant
Freebsd, the unknown giantGLC Networks
 
OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr David Lenwell
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
Opening last bits of the infrastructure
Opening last bits of the infrastructureOpening last bits of the infrastructure
Opening last bits of the infrastructureErwan Velu
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Cloudflare
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkAmmar WK
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 

Similaire à Hacking QNX (20)

Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020
 
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) [발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
 
EOS
EOSEOS
EOS
 
La apuesta de Telefónica por la cloud privada
La apuesta de Telefónica por la cloud privadaLa apuesta de Telefónica por la cloud privada
La apuesta de Telefónica por la cloud privada
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
 
Security tools
Security toolsSecurity tools
Security tools
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDN
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDNTech Tutorial by Vikram Dham: Let's build MPLS router using SDN
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDN
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat
 
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
Freebsd, the unknown giant
Freebsd, the unknown giantFreebsd, the unknown giant
Freebsd, the unknown giant
 
OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Opening last bits of the infrastructure
Opening last bits of the infrastructureOpening last bits of the infrastructure
Opening last bits of the infrastructure
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
 
How we use Twisted in Launchpad
How we use Twisted in LaunchpadHow we use Twisted in Launchpad
How we use Twisted in Launchpad
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 network
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
 

Dernier

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 

Dernier (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Hacking QNX

  • 1. Hacking Confraria de Segurança da Informação 27 Nov 2013
  • 2. root@localhost:~# whoami • Ricardo Mourato • Pentester @ SysValue • Former SW engineer • Like to: • Hack Stuff • Code C,Python,Ruby,Java,C# • Slackware! • Drink: • Stout • Staropramen • Stella Artois • Hate: • Printers, Unless networked • Perl root@localhost:~#
  • 3. Disclaimer: You know, i’m not responsible for your:
  • 4. What this talk is about: • An introduction to QNX RTOS • Where Would You Expect To Find QNX • QNX in Numbers • More About QNX • How it Looks • QNX Network Services • QNX Qnet protocol • Exploiting QNX Weaknesses Remotley & Locally (<- demo )
  • 5. What is QNX (Neutrino): • Multiuser & Multitask Mission Critical RTOS; • Developed by QNX Software, later acquired by Research in Motion, Now BlackBerry; • Targets are mostly embedded systems; • Microkernel driven; • This means: • Every failure prone component lives outside of kernelspace • Components, such as Drivers, Protocol Stacks, Filesystems, Applications;
  • 6. What is QNX Neutrino (cont): • Runs on Multiple Arch’s: ARM,MIPS, PowerPC, x86, etc; • Not Linux nor Unix; • POSIX standard (1003.1-2001 POSIX.1) 
  • 7. What is QNX Neutrino (cont): Source: http://www.qnx.com/
  • 8. Where Would You Expect To Find QNX: “QNX is used in systems where the cost of failure is very high“ Dan Dodge (QNX CEO)
  • 9. Where Would You Expect To Find QNX (cont): • Medical Equipment; • Industrial Robots; • Professional DVR’s; • Storage Appliances; • Network Equipment; <- Cisco CRS-1  • RAID Controllers; • Spacecraft & Aircraft; • Nuclear Power Plants;
  • 10. Where Would You Expect To Find QNX (cont): • Blackberry PlayBook, Z10, Z30, Q5, Q10, etc; • Luxury & High-end Cars (Porshe, Bentley, Lexus, Mercedes, etc; • University Students “Quite Expensive" NAS; • Many Others.
  • 11. QNX in Numbers: • Shodanhq: • 2 QNX hosts; • Internet Census: • ~ 74 Internet Exposed hosts; • No Nuclear Power Plants, though  • Private/Local networks?
  • 12. More About QNX: • Photon (GUI) • Uses Neutrino messages in order to create highly responsive user experience; • Made of the following components: • Photon server; • graphics subsystem manager and hardware driver; • font support; • input support; • user applications;
  • 13. More About QNX (cont): • Multimedia • “Media Player Plugins” • Plays/Decodes: • MPEG-1, MPEG-2, MPEG-2.5, MP3, WAV, AIFF • Widgets Library; • Etc.
  • 14. More About QNX (cont):
  • 15. More About QNX (cont): “By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car's stereo, this song could alter the firmware of the car's stereo system, giving attackers an entry point to change other components on the car” Remember “Media Player Plugins” ? 
  • 18. How it Looks (Pentester’s view)
  • 19. QNX Network Services (Usually Default): • Telnet • Allows root login, if you know the password • Unprivileged joe account? Try ./KissMyHash  (later on demo) • FTP • Does not allow root login. You’re able to travel “/”, again, if you know the password. • QCONN • Kind of remote debug/profiling bridge for IDE’s • Allows root login, even if you don’t know the password 
  • 20. QNX Qnet Protocol • Transparent Distributed Processing Platform; • Groups QNX systems or CPU’s (nodes) into na integrated network; • A QNX node can access resources on other nodes, transparently. • Resources can be: • Files; • Devices; • Processes <-  • Same goes for IPC
  • 21. Demo Meet the Live Demo Gremlin, he just sits and waits Then Leaves…
  • 22. References: [1] "30 Ways QNX Touches Your Life", Internet: http://www.qnx.com/company/30ways/ [2] "Customers", Internet: http://www.qnx.com/company/customer_stories/http://www.qnx.com [3] "QNX Neutrino RTOS", Internet: http://www.qnx.com/products/neutrino-rtos/neutrino-rtos.html [4] "A Look At The Near Future Of In-Car Technology: QNX CAR 2", Internet: http://www.washingtonpost.com/cars/a-look-at-the-near-future-of-in-car-technology-qnx-car- 2/2012/09/19/a3266bf0-0262-11e2-9132-f2750cd65f97_story.html [5] "Nuclear plant powers up on real-time OS", Internet: http://www.itbusiness.ca/news/nuclear- plant-powers-up-on-real-time-os/9084 [6] "Review: BlackBerry PlayBook (o verdadeiro tablet 2.0 :))", Internet: http://itweb.com.br/blogs/review-blackberry-playbook-o-verdadeiro-tablet-2-0/ [7] "Pentesting QNX Neutrino RTOS", Internet: http://www.fishnetsecurity.com/6labs/blog/pentesting- qnx-neutrino-rtos [8] "QNX QCONN Remote Command Execution Vulnerability", Internet: http://www.rapid7.com/db/modules/exploit/unix/misc/qnx_qconn_exec [9] "With hacking, music can take control of your car", Internet: http://www.itworld.com/security/139794/with-hacking-music-can-take-control-your-car [10] "Transparent Distributed Processing Using Qnet", Internet: http://www.qnx.com/developers/docs/6.3.2/neutrino/prog/qnet.html [11] "on", Internet: http://www.qnx.com/developers/docs/6.3.2/neutrino/utilities/o/on.html
  • 23. Q&A