The dhcp.client program for QNX 4.25 vmware is setuid, possibly by default, which allows local users to modify the NIC configuration and conduct other attacks.
https://exchange.xforce.ibmcloud.com/vulnerabilities/23543
http://www.securityfocus.com/bid/15785
http://www.securityfocus.com/archive/1/418513/100/0/threaded