Script qconn-exec

Script types: portrule
Categories: intrusive, exploit, vuln
Download: https://svn.nmap.org/nmap/scripts/qconn-exec.nse

Script Summary

Attempts to identify whether a listening QNX QCONN daemon allows unauthenticated users to execute arbitrary operating system commands.

QNX is a commercial Unix-like real-time operating system, aimed primarily at the embedded systems market. The QCONN daemon is a service provider that provides support, such as profiling system information, to remote IDE components. The QCONN daemon runs on port 8000 by default.

For more information about QNX QCONN, see:

Script Arguments

qconn-exec.cmd

Set the operating system command to execute. The default value is "uname -a".

qconn-exec.timeout

Set the timeout in seconds. The default value is 30.

qconn-exec.bytes

Set the number of bytes to retrieve. The default value is 1024.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap --script qconn-exec --script-args qconn-exec.timeout=60,qconn-exec.bytes=1024,qconn-exec.cmd="uname -a" -p <port> <target>

Script Output

PORT     STATE SERVICE VERSION
8000/tcp open  qconn   qconn remote IDE support
| qconn-exec:
|   VULNERABLE:
|   The QNX QCONN daemon allows remote command execution.
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       The QNX QCONN daemon allows unauthenticated users to execute arbitrary operating
|       system commands as the 'root' user.
|
|     References:
|       http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos
|_      http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec

Requires


Author:

  • Brendan Coles

License: Same as Nmap--See https://nmap.org/book/man-legal.html