CVE-2000-0250

QNX - Weak Password Encryption

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2000-0250. PoCs published by Sean.

AI-analyzed exploit summary This exploit demonstrates a design flaw in QNX's crypt(3) function, allowing password recovery from hashes due to insufficient obfuscation. The code reverses the weak hashing algorithm by extracting and rotating bits to reconstruct the original password.

Description

The crypt function in QNX uses weak encryption, which allows local users to decrypt passwords.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Sean · clocalqnx

https://www.exploit-db.com/exploits/19851

View Code ZIP pw:eip

This exploit demonstrates a design flaw in QNX's crypt(3) function, allowing password recovery from hashes due to insufficient obfuscation. The code reverses the weak hashing algorithm by extracting and rotating bits to reconstruct the original password.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: QNX (versions with vulnerable crypt(3) implementation)

No auth needed

Prerequisites: Access to the password file (e.g., /etc/passwd or /etc/shadow)

MITRE ATT&CK

T1552.001 - Credentials In Files

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/1114

Exploit, Vendor Advisory mailing-list x_refsource_bugtraq

http://archives.neohapsis.com/archives/bugtraq/2000-04/0072.html

Scores

EPSS 0.0062

EPSS Percentile 45.1%

Details

Status published

Products (1)

qnx/qnx 4.25a

Published Apr 14, 2000

Tracked Since Feb 18, 2026