CVE-2002-0793

MEDIUM

QNX Neutrino Real-Time Operating System - Arbitrary File Overwrite via Hard Link Following

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2002-0793. PoCs published by Simon Ouellette.

AI-analyzed exploit summary This exploit leverages a vulnerability in the QNX RTOS monitor utility, which is installed setuid root by default. By using the -f command line option, a local attacker can overwrite arbitrary system files, such as /etc/passwd, leading to privilege escalation.

Description

Hard link and possibly symbolic link following vulnerabilities in QNX RTOS 4.25 (aka QNX4) allow local users to overwrite arbitrary files via (1) the -f argument to the monitor utility, (2) the -d argument to dumper, (3) the -c argument to crttrap, or (4) using the Watcom sample utility.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Simon Ouellette · textlocallinux
https://www.exploit-db.com/exploits/21500

This exploit leverages a vulnerability in the QNX RTOS monitor utility, which is installed setuid root by default. By using the -f command line option, a local attacker can overwrite arbitrary system files, such as /etc/passwd, leading to privilege escalation.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: QNX RTOS monitor utility
No auth needed
Prerequisites: Local access to the system · Presence of the vulnerable monitor utility
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Simon Ouellette · textlocallinux
https://www.exploit-db.com/exploits/21501

This exploit leverages a symbolic link vulnerability in the QNX RTOS 'dumper' utility to overwrite arbitrary files and gain ownership, potentially leading to privilege escalation by modifying system files like '/etc/passwd'.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: QNX RTOS dumper utility
Auth required
Prerequisites: Local access to the system · Ability to create symbolic links · Presence of the 'dumper' utility
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Simon Ouellette · textlocallinux
https://www.exploit-db.com/exploits/21499

This exploit leverages a command-line option in the QNX RTOS crttrap binary to disclose arbitrary file contents. The binary is installed setuid, allowing local attackers to read sensitive files like /etc/shadow.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: QNX RTOS crttrap
No auth needed
Prerequisites: Local access to the QNX RTOS system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/9234
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/9233
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/4901
Broken Link, Exploit, Patch, Third Party Advisory, VDB Entry, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/4902
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/4904
Broken Link, Exploit, Vendor Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0292.html
Broken Link, Patch, Vendor Advisory vdb-entry x_refsource_xf
http://www.iss.net/security_center/static/9231.php
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/4903
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/9232

Scores

CVSS v3 5.5
EPSS 0.0134
EPSS Percentile 67.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-59
Status published
Products (1)
blackberry/qnx_neutrino_real-time_operating_system 4.25
Published Aug 12, 2002
Tracked Since Feb 18, 2026