Vulnerability Note VU#961686

QNX PPPoEd vulnerable to buffer overflow

Original Release date: 01 Feb 2005 | Last revised: 03 Feb 2005


QNX PPPoEd contains a buffer overflow that may allow an attacker to execute arbitrary commands.


QNX is an RTOS (Real-time Operating System). QNX is used in many different devices and industries, including, but not limited to

    • routers
    • manufacturing and processing
    • medical equipment
    • automotive and transportation
    • military and aerospace
    • consumer electronics
    • industry automation and control

The pppoed command is used to start the PPPoEd daemon which provides Point-to-Point Protocol over Ethernet (PPPoE) connections on QNX systems. The syntax of the PPPoEd command is

pppoed [options] [suboptions]

where [options] are user-supplied command-line parameters. A lack of bounds checking on the user-supplied options may allow a buffer overflow to occur. According to some reports, the following command-line options contain this vulnerability:
    • name
    • en
    • upscript
    • downscript
    • retries
    • timeout
    • scriptdetach
    • noscript
    • nodetach
    • remote_mac
    • local_mac

However, other options may also contain this vulnerability,


An attacker may be able to execute arbitrary commands with elevated privileges or cause a denial-of-service condition.


We are currently unaware of a practical solution to this problem.

Limit Access to PPPoEd

Deny untrusted users the privileges needed to access the PPPoEd service.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
QNXAffected-10 Sep 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was publicly reported by Julio Cesar Fort.

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: Unknown
  • Date Public: 05 Sep 2004
  • Date First Published: 01 Feb 2005
  • Date Last Updated: 03 Feb 2005
  • Severity Metric: 10.94
  • Document Revision: 152


If you have feedback, comments, or additional information about this vulnerability, please send us email.