Vulnerability Note VU#961686

QNX PPPoEd vulnerable to buffer overflow

Original Release date: 01 Feb 2005 | Last revised: 03 Feb 2005


QNX PPPoEd contains a buffer overflow that may allow an attacker to execute arbitrary commands.


QNX is an RTOS (Real-time Operating System). QNX is used in many different devices and industries, including, but not limited to

  • routers
  • manufacturing and processing
  • medical equipment
  • automotive and transportation
  • military and aerospace
  • consumer electronics
  • industry automation and control

The pppoed command is used to start the PPPoEd daemon which provides Point-to-Point Protocol over Ethernet (PPPoE) connections on QNX systems. The syntax of the PPPoEd command is
    pppoed [options] [suboptions]

where [options] are user-supplied command-line parameters. A lack of bounds checking on the user-supplied options may allow a buffer overflow to occur. According to some reports, the following command-line options contain this vulnerability:
  • name
  • en
  • upscript
  • downscript
  • retries
  • timeout
  • scriptdetach
  • noscript
  • nodetach
  • remote_mac
  • local_mac

However, other options may also contain this vulnerability,


An attacker may be able to execute arbitrary commands with elevated privileges or cause a denial-of-service condition.


We are currently unaware of a practical solution to this problem.

Limit Access to PPPoEd

Deny untrusted users the privileges needed to access the PPPoEd service.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
QNXAffected-10 Sep 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was publicly reported by Julio Cesar Fort.

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: Unknown
  • Date Public: 05 Sep 2004
  • Date First Published: 01 Feb 2005
  • Date Last Updated: 03 Feb 2005
  • Severity Metric: 10.94
  • Document Revision: 152


If you have feedback, comments, or additional information about this vulnerability, please send us email.