In this blog post i will cover QNX's Qnet native networking protocol and an Elevation of Privilege vulnerability (CVE-2017-3891) i discovered in it.

QNX & Qnet

BlackBerry QNX is a Unix-like POSIX Real-Time Operating System (RTOS) for embedded systems found in everything from mobile devices (BlackBerry 10, BlackBerry Tablet OS) and automotive infotainment units to industrial control systems and military radios.

QNX has a microkernel architecture where only the bare minimum of kernel functionality (scheduler, interrupt handling, etc.) resides in kernelspace with the rest of OS and device driver functionality residing in userspace. Communication between these various components is primarily done by means of message-passing based Interprocess Communication (IPC).

The QNX Qnet protocol extends this IPC transparently over a network of microkernels (as an overlay over anything with a packet driver eg. Ethernet, RapidIO, InfiniBand, etc.) to form a native network where programs can access any resource, from files and devices to processes, on any other node in the local subnet.

This allows for simple and transparent distributed computing over multiple processors or machines which is useful in a range of applications such as industrial automation (with different machines and nodes distributed around a plant), telecom (large routers with multiple interface cards with individual processors) or automotive (sharing a single bluetooth transceiver or 3G/4G modem among different modules over CAN, LIN or MOST).

One prominent example of Qnet usage is in Cisco's IOS-XR operating system (used in carrier-grade routers such as the CRS, 12000 and ASR9000 series) which runs its Light Weight Messaging (LWM) on top of Qnet. LWM functions as the preferred intra-node and inter-node IPC on IOS-XR.