CVE-2014-2534

BlackBerry QNX Neutrino RTOS <6.5.x - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-2534. PoCs published by cenobyte.

AI-analyzed exploit summary The exploit leverages a privilege escalation flaw in QNX's setuid root binary `pppoectl`, which fails to validate file permissions. By specifying `/etc/shadow` as a configuration file, the tool discloses the first line of the shadow file in its error output, exposing the root password hash.

Description

/sbin/pppoectl in BlackBerry QNX Neutrino RTOS 6.4.x and 6.5.x allows local users to obtain sensitive information by reading "bad parameter" lines in error messages, as demonstrated by reading the root password hash in /etc/shadow.

Exploits (1)

exploitdb WORKING POC VERIFIED
by cenobyte · textlocalqnx
https://www.exploit-db.com/exploits/32156

The exploit leverages a privilege escalation flaw in QNX's setuid root binary `pppoectl`, which fails to validate file permissions. By specifying `/etc/shadow` as a configuration file, the tool discloses the first line of the shadow file in its error output, exposing the root password hash.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: QNX 6.4.x/6.5.x (pppoectl)
No auth needed
Prerequisites: Access to a vulnerable QNX system · User-level shell access
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/32156/
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Mar/124
Mailing List mailing-list x_refsource_bugtraq
http://seclists.org/bugtraq/2014/Mar/66
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Mar/98
Mailing List mailing-list x_refsource_bugtraq
http://seclists.org/bugtraq/2014/Mar/88

Scores

EPSS 0.0095
EPSS Percentile 56.4%

Details

CWE
CWE-264
Status published
Products (2)
blackberry/qnx_neutrino_rtos 6.4.1
blackberry/qnx_neutrino_rtos 6.5.0 (2 CPE variants)
Published Mar 18, 2014
Tracked Since Feb 18, 2026