SlideShare uma empresa Scribd logo

Hacking QNX

R
ricardomcm
Tecnologia
1 de 24
Baixar para ler offline
Hacking Confraria de Segurança da Informação 27 Nov 2013
root@localhost:~# whoami • Ricardo Mourato • Pentester @ SysValue • Former SW engineer • Like to: • Hack Stuff • Code C,Python,Ruby,Java,C# • Slackware! • Drink: • Stout • Staropramen • Stella Artois • Hate: • Printers, Unless networked • Perl root@localhost:~#
Disclaimer: You know, i’m not responsible for your:
What this talk is about: • An introduction to QNX RTOS • Where Would You Expect To Find QNX • QNX in Numbers • More About QNX • How it Looks • QNX Network Services • QNX Qnet protocol • Exploiting QNX Weaknesses Remotley & Locally (<- demo )
What is QNX (Neutrino): • Multiuser & Multitask Mission Critical RTOS; • Developed by QNX Software, later acquired by Research in Motion, Now BlackBerry; • Targets are mostly embedded systems; • Microkernel driven; • This means: • Every failure prone component lives outside of kernelspace • Components, such as Drivers, Protocol Stacks, Filesystems, Applications;
What is QNX Neutrino (cont): • Runs on Multiple Arch’s: ARM,MIPS, PowerPC, x86, etc; • Not Linux nor Unix; • POSIX standard (1003.1-2001 POSIX.1) 
What is QNX Neutrino (cont): Source: http://www.qnx.com/
Where Would You Expect To Find QNX: “QNX is used in systems where the cost of failure is very high“ Dan Dodge (QNX CEO)
Where Would You Expect To Find QNX (cont): • Medical Equipment; • Industrial Robots; • Professional DVR’s; • Storage Appliances; • Network Equipment; <- Cisco CRS-1  • RAID Controllers; • Spacecraft & Aircraft; • Nuclear Power Plants;
Where Would You Expect To Find QNX (cont): • Blackberry PlayBook, Z10, Z30, Q5, Q10, etc; • Luxury & High-end Cars (Porshe, Bentley, Lexus, Mercedes, etc; • University Students “Quite Expensive" NAS; • Many Others.
QNX in Numbers: • Shodanhq: • 2 QNX hosts; • Internet Census: • ~ 74 Internet Exposed hosts; • No Nuclear Power Plants, though  • Private/Local networks?
More About QNX: • Photon (GUI) • Uses Neutrino messages in order to create highly responsive user experience; • Made of the following components: • Photon server; • graphics subsystem manager and hardware driver; • font support; • input support; • user applications;
More About QNX (cont): • Multimedia • “Media Player Plugins” • Plays/Decodes: • MPEG-1, MPEG-2, MPEG-2.5, MP3, WAV, AIFF • Widgets Library; • Etc.
More About QNX (cont):
More About QNX (cont): “By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car's stereo, this song could alter the firmware of the car's stereo system, giving attackers an entry point to change other components on the car” Remember “Media Player Plugins” ? 
How it Looks:
How it Looks:
How it Looks (Pentester’s view)
QNX Network Services (Usually Default): • Telnet • Allows root login, if you know the password • Unprivileged joe account? Try ./KissMyHash  (later on demo) • FTP • Does not allow root login. You’re able to travel “/”, again, if you know the password. • QCONN • Kind of remote debug/profiling bridge for IDE’s • Allows root login, even if you don’t know the password 
QNX Qnet Protocol • Transparent Distributed Processing Platform; • Groups QNX systems or CPU’s (nodes) into na integrated network; • A QNX node can access resources on other nodes, transparently. • Resources can be: • Files; • Devices; • Processes <-  • Same goes for IPC
Demo Meet the Live Demo Gremlin, he just sits and waits Then Leaves…
References: [1] "30 Ways QNX Touches Your Life", Internet: http://www.qnx.com/company/30ways/ [2] "Customers", Internet: http://www.qnx.com/company/customer_stories/http://www.qnx.com [3] "QNX Neutrino RTOS", Internet: http://www.qnx.com/products/neutrino-rtos/neutrino-rtos.html [4] "A Look At The Near Future Of In-Car Technology: QNX CAR 2", Internet: http://www.washingtonpost.com/cars/a-look-at-the-near-future-of-in-car-technology-qnx-car- 2/2012/09/19/a3266bf0-0262-11e2-9132-f2750cd65f97_story.html [5] "Nuclear plant powers up on real-time OS", Internet: http://www.itbusiness.ca/news/nuclear- plant-powers-up-on-real-time-os/9084 [6] "Review: BlackBerry PlayBook (o verdadeiro tablet 2.0 :))", Internet: http://itweb.com.br/blogs/review-blackberry-playbook-o-verdadeiro-tablet-2-0/ [7] "Pentesting QNX Neutrino RTOS", Internet: http://www.fishnetsecurity.com/6labs/blog/pentesting- qnx-neutrino-rtos [8] "QNX QCONN Remote Command Execution Vulnerability", Internet: http://www.rapid7.com/db/modules/exploit/unix/misc/qnx_qconn_exec [9] "With hacking, music can take control of your car", Internet: http://www.itworld.com/security/139794/with-hacking-music-can-take-control-your-car [10] "Transparent Distributed Processing Using Qnet", Internet: http://www.qnx.com/developers/docs/6.3.2/neutrino/prog/qnet.html [11] "on", Internet: http://www.qnx.com/developers/docs/6.3.2/neutrino/utilities/o/on.html
Q&A
Hacking QNX

Recomendados

Review of QNX
Review of QNXReview of QNX
Review of QNX
Robert-Emmanuel Mayssat
 
QNX OS
QNX OSQNX OS
QNX OS
Guevarra Institute of Technology
 
QNX Software Systems
QNX Software SystemsQNX Software Systems
QNX Software Systems
Robert-Emmanuel Mayssat
 
Apresentacao sobre o QNX Neutrino
Apresentacao sobre o QNX NeutrinoApresentacao sobre o QNX Neutrino
Apresentacao sobre o QNX Neutrino
Líus Fontenelle Carneiro
 
Qnx os
Qnx os Qnx os
Qnx os
Student
 
QNX Sales Engineering Presentation
QNX Sales Engineering PresentationQNX Sales Engineering Presentation
QNX Sales Engineering Presentation
Robert-Emmanuel Mayssat
 
Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)
Novell
 
Kernel Recipes 2015: Representing device-tree peripherals in ACPI
Kernel Recipes 2015: Representing device-tree peripherals in ACPIKernel Recipes 2015: Representing device-tree peripherals in ACPI
Kernel Recipes 2015: Representing device-tree peripherals in ACPI
Anne Nicolas
 

Recomendados

Review of QNX
Review of QNXReview of QNX
Review of QNX
Robert-Emmanuel Mayssat
 
QNX OS
QNX OSQNX OS
QNX OS
Guevarra Institute of Technology
 
QNX Software Systems
QNX Software SystemsQNX Software Systems
QNX Software Systems
Robert-Emmanuel Mayssat
 
Apresentacao sobre o QNX Neutrino
Apresentacao sobre o QNX NeutrinoApresentacao sobre o QNX Neutrino
Apresentacao sobre o QNX Neutrino
Líus Fontenelle Carneiro
 
Qnx os
Qnx os Qnx os
Qnx os
Student
 
QNX Sales Engineering Presentation
QNX Sales Engineering PresentationQNX Sales Engineering Presentation
QNX Sales Engineering Presentation
Robert-Emmanuel Mayssat
 
Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)
Novell
 
Kernel Recipes 2015: Representing device-tree peripherals in ACPI
Kernel Recipes 2015: Representing device-tree peripherals in ACPIKernel Recipes 2015: Representing device-tree peripherals in ACPI
Kernel Recipes 2015: Representing device-tree peripherals in ACPI
Anne Nicolas
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at Netflix
Brendan Gregg
 
The Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car ArchitecturesThe Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car Architectures
Real-Time Innovations (RTI)
 
Linux-Internals-and-Networking
Linux-Internals-and-NetworkingLinux-Internals-and-Networking
Linux-Internals-and-Networking
Emertxe Information Technologies Pvt Ltd
 
Embedded Hypervisor for ARM
Embedded Hypervisor for ARMEmbedded Hypervisor for ARM
Embedded Hypervisor for ARM
National Cheng Kung University
 
Qnx os
Qnx osQnx os
Qnx os
Student
 
Ansible 101
Ansible 101Ansible 101
Ansible 101
Gena Mykhailiuta
 
Introduction to ARM big.LITTLE technology
Introduction to ARM big.LITTLE technologyIntroduction to ARM big.LITTLE technology
Introduction to ARM big.LITTLE technology
義洋 顏
 
Linux Kernel Overview
Linux Kernel OverviewLinux Kernel Overview
Linux Kernel Overview
Anil Kumar Pugalia
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted Firmware
Linaro
 
KVM tools and enterprise usage
KVM tools and enterprise usageKVM tools and enterprise usage
KVM tools and enterprise usage
vincentvdk
 
ansible why ?
ansible why ?ansible why ?
ansible why ?
Yashar Esmaildokht
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
Project ACRN
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
National Cheng Kung University
 
Extreme Linux Performance Monitoring and Tuning
Extreme Linux Performance Monitoring and TuningExtreme Linux Performance Monitoring and Tuning
Extreme Linux Performance Monitoring and Tuning
Milind Koyande
 
Advanced C - Part 3
Advanced C - Part 3Advanced C - Part 3
Advanced C - Part 3
Emertxe Information Technologies Pvt Ltd
 
QNX Neutrino RTOS
QNX Neutrino RTOSQNX Neutrino RTOS
QNX Neutrino RTOS
lccasagrande
 
A crash course in CRUSH
A crash course in CRUSHA crash course in CRUSH
A crash course in CRUSH
Sage Weil
 
Virtualization Architecture & KVM
Virtualization Architecture & KVMVirtualization Architecture & KVM
Virtualization Architecture & KVM
Pradeep Kumar
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part II
Emertxe Information Technologies Pvt Ltd
 
Linux Internals - Kernel/Core
Linux Internals - Kernel/CoreLinux Internals - Kernel/Core
Linux Internals - Kernel/Core
Shay Cohen
 
Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020
Lorenzo Miniero
 
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) [발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
동현 김
 

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at Netflix
 
The Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car ArchitecturesThe Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car Architectures
 
Linux-Internals-and-Networking
Linux-Internals-and-NetworkingLinux-Internals-and-Networking
Linux-Internals-and-Networking
 
Embedded Hypervisor for ARM
Embedded Hypervisor for ARMEmbedded Hypervisor for ARM
Embedded Hypervisor for ARM
 
Qnx os
Qnx osQnx os
Qnx os
 
Ansible 101
Ansible 101Ansible 101
Ansible 101
 
Introduction to ARM big.LITTLE technology
Introduction to ARM big.LITTLE technologyIntroduction to ARM big.LITTLE technology
Introduction to ARM big.LITTLE technology
 
Linux Kernel Overview
Linux Kernel OverviewLinux Kernel Overview
Linux Kernel Overview
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted Firmware
 
KVM tools and enterprise usage
KVM tools and enterprise usageKVM tools and enterprise usage
KVM tools and enterprise usage
 
ansible why ?
ansible why ?ansible why ?
ansible why ?
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
 
Extreme Linux Performance Monitoring and Tuning
Extreme Linux Performance Monitoring and TuningExtreme Linux Performance Monitoring and Tuning
Extreme Linux Performance Monitoring and Tuning
 
Advanced C - Part 3
Advanced C - Part 3Advanced C - Part 3
Advanced C - Part 3
 
QNX Neutrino RTOS
QNX Neutrino RTOSQNX Neutrino RTOS
QNX Neutrino RTOS
 
A crash course in CRUSH
A crash course in CRUSHA crash course in CRUSH
A crash course in CRUSH
 
Virtualization Architecture & KVM
Virtualization Architecture & KVMVirtualization Architecture & KVM
Virtualization Architecture & KVM
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part II
 
Linux Internals - Kernel/Core
Linux Internals - Kernel/CoreLinux Internals - Kernel/Core
Linux Internals - Kernel/Core
 

Semelhante a Hacking QNX

Tech Tutorial by Vikram Dham: Let's build MPLS router using SDN
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDNTech Tutorial by Vikram Dham: Let's build MPLS router using SDN
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDN
nvirters
 
OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr
David Lenwell
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
Cloudflare
 

Semelhante a Hacking QNX (20)

Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020
 
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) [발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
 
EOS
EOSEOS
EOS
 
La apuesta de Telefónica por la cloud privada
La apuesta de Telefónica por la cloud privadaLa apuesta de Telefónica por la cloud privada
La apuesta de Telefónica por la cloud privada
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
 
Security tools
Security toolsSecurity tools
Security tools
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDN
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDNTech Tutorial by Vikram Dham: Let's build MPLS router using SDN
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDN
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat
 
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
Freebsd, the unknown giant
Freebsd, the unknown giantFreebsd, the unknown giant
Freebsd, the unknown giant
 
OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Opening last bits of the infrastructure
Opening last bits of the infrastructureOpening last bits of the infrastructure
Opening last bits of the infrastructure
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
 
How we use Twisted in Launchpad
How we use Twisted in LaunchpadHow we use Twisted in Launchpad
How we use Twisted in Launchpad
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 network
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Último (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Hacking QNX

  • 1. Hacking Confraria de Segurança da Informação 27 Nov 2013
  • 2. root@localhost:~# whoami • Ricardo Mourato • Pentester @ SysValue • Former SW engineer • Like to: • Hack Stuff • Code C,Python,Ruby,Java,C# • Slackware! • Drink: • Stout • Staropramen • Stella Artois • Hate: • Printers, Unless networked • Perl root@localhost:~#
  • 3. Disclaimer: You know, i’m not responsible for your:
  • 4. What this talk is about: • An introduction to QNX RTOS • Where Would You Expect To Find QNX • QNX in Numbers • More About QNX • How it Looks • QNX Network Services • QNX Qnet protocol • Exploiting QNX Weaknesses Remotley & Locally (<- demo )
  • 5. What is QNX (Neutrino): • Multiuser & Multitask Mission Critical RTOS; • Developed by QNX Software, later acquired by Research in Motion, Now BlackBerry; • Targets are mostly embedded systems; • Microkernel driven; • This means: • Every failure prone component lives outside of kernelspace • Components, such as Drivers, Protocol Stacks, Filesystems, Applications;
  • 6. What is QNX Neutrino (cont): • Runs on Multiple Arch’s: ARM,MIPS, PowerPC, x86, etc; • Not Linux nor Unix; • POSIX standard (1003.1-2001 POSIX.1) 
  • 7. What is QNX Neutrino (cont): Source: http://www.qnx.com/
  • 8. Where Would You Expect To Find QNX: “QNX is used in systems where the cost of failure is very high“ Dan Dodge (QNX CEO)
  • 9. Where Would You Expect To Find QNX (cont): • Medical Equipment; • Industrial Robots; • Professional DVR’s; • Storage Appliances; • Network Equipment; <- Cisco CRS-1  • RAID Controllers; • Spacecraft & Aircraft; • Nuclear Power Plants;
  • 10. Where Would You Expect To Find QNX (cont): • Blackberry PlayBook, Z10, Z30, Q5, Q10, etc; • Luxury & High-end Cars (Porshe, Bentley, Lexus, Mercedes, etc; • University Students “Quite Expensive" NAS; • Many Others.
  • 11. QNX in Numbers: • Shodanhq: • 2 QNX hosts; • Internet Census: • ~ 74 Internet Exposed hosts; • No Nuclear Power Plants, though  • Private/Local networks?
  • 12. More About QNX: • Photon (GUI) • Uses Neutrino messages in order to create highly responsive user experience; • Made of the following components: • Photon server; • graphics subsystem manager and hardware driver; • font support; • input support; • user applications;
  • 13. More About QNX (cont): • Multimedia • “Media Player Plugins” • Plays/Decodes: • MPEG-1, MPEG-2, MPEG-2.5, MP3, WAV, AIFF • Widgets Library; • Etc.
  • 14. More About QNX (cont):
  • 15. More About QNX (cont): “By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car's stereo, this song could alter the firmware of the car's stereo system, giving attackers an entry point to change other components on the car” Remember “Media Player Plugins” ? 
  • 18. How it Looks (Pentester’s view)
  • 19. QNX Network Services (Usually Default): • Telnet • Allows root login, if you know the password • Unprivileged joe account? Try ./KissMyHash  (later on demo) • FTP • Does not allow root login. You’re able to travel “/”, again, if you know the password. • QCONN • Kind of remote debug/profiling bridge for IDE’s • Allows root login, even if you don’t know the password 
  • 20. QNX Qnet Protocol • Transparent Distributed Processing Platform; • Groups QNX systems or CPU’s (nodes) into na integrated network; • A QNX node can access resources on other nodes, transparently. • Resources can be: • Files; • Devices; • Processes <-  • Same goes for IPC
  • 21. Demo Meet the Live Demo Gremlin, he just sits and waits Then Leaves…
  • 22. References: [1] "30 Ways QNX Touches Your Life", Internet: http://www.qnx.com/company/30ways/ [2] "Customers", Internet: http://www.qnx.com/company/customer_stories/http://www.qnx.com [3] "QNX Neutrino RTOS", Internet: http://www.qnx.com/products/neutrino-rtos/neutrino-rtos.html [4] "A Look At The Near Future Of In-Car Technology: QNX CAR 2", Internet: http://www.washingtonpost.com/cars/a-look-at-the-near-future-of-in-car-technology-qnx-car- 2/2012/09/19/a3266bf0-0262-11e2-9132-f2750cd65f97_story.html [5] "Nuclear plant powers up on real-time OS", Internet: http://www.itbusiness.ca/news/nuclear- plant-powers-up-on-real-time-os/9084 [6] "Review: BlackBerry PlayBook (o verdadeiro tablet 2.0 :))", Internet: http://itweb.com.br/blogs/review-blackberry-playbook-o-verdadeiro-tablet-2-0/ [7] "Pentesting QNX Neutrino RTOS", Internet: http://www.fishnetsecurity.com/6labs/blog/pentesting- qnx-neutrino-rtos [8] "QNX QCONN Remote Command Execution Vulnerability", Internet: http://www.rapid7.com/db/modules/exploit/unix/misc/qnx_qconn_exec [9] "With hacking, music can take control of your car", Internet: http://www.itworld.com/security/139794/with-hacking-music-can-take-control-your-car [10] "Transparent Distributed Processing Using Qnet", Internet: http://www.qnx.com/developers/docs/6.3.2/neutrino/prog/qnet.html [11] "on", Internet: http://www.qnx.com/developers/docs/6.3.2/neutrino/utilities/o/on.html
  • 23. Q&A