CVE-2002-2040

QNX RTOS <6.1.0 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2002-2040. PoCs published by badc0ded.

AI-analyzed exploit summary This exploit leverages a privilege escalation vulnerability in the QNX phgrafx-startup utility due to unsafe use of the system() function. It creates a malicious crttrap script in /tmp, modifies the PATH to prioritize it, and triggers phgrafx-startup to execute the script with elevated privileges, resulting in a setuid root shell.

Description

The (1) phrafx and (2) phgrafx-startup programs in QNX realtime operating system (RTOS) 4.25 and 6.1.0 do not properly drop privileges before executing the system command, which allows local users to execute arbitrary commands by modifying the PATH environment variable to reference a malicious crttrap program.

Exploits (2)

exploitdb WORKING POC VERIFIED

by badc0ded · bashlocallinux

https://www.exploit-db.com/exploits/21504

View Code ZIP pw:eip

This exploit leverages a privilege escalation vulnerability in the QNX phgrafx-startup utility due to unsafe use of the system() function. It creates a malicious crttrap script in /tmp, modifies the PATH to prioritize it, and triggers phgrafx-startup to execute the script with elevated privileges, resulting in a setuid root shell.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: QNX phgrafx-startup (version not specified)

No auth needed

Prerequisites: Local access to the system · Presence of /usr/photon/bin/phgrafx-startup

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by badc0ded · bashlocallinux

https://www.exploit-db.com/exploits/21503

View Code ZIP pw:eip

This exploit leverages a privilege escalation vulnerability in the QNX phgrafx utility by hijacking the PATH environment variable to execute a malicious script (crttrap) with root privileges. The script creates a setuid root shell in /tmp/badc0ded.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: QNX phgrafx utility

No auth needed

Prerequisites: Local access to the system · QNX phgrafx utility installed

MITRE ATT&CK

T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/4916

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/4915

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://online.securityfocus.com/archive/1/275218

Third Party Advisory vdb-entry x_refsource_xf

http://www.iss.net/security_center/static/9257.php

Scores

EPSS 0.0108

EPSS Percentile 60.8%

Details

Status published

Products (2)

qnx/rtos 4.25

qnx/rtos 6.1.0

Published Dec 31, 2002

Tracked Since Feb 18, 2026