Script qconn-exec
Script types:
portrule
Categories:
intrusive, exploit, vuln
Download: https://svn.nmap.org/nmap/scripts/qconn-exec.nse
Script Summary
Attempts to identify whether a listening QNX QCONN daemon allows unauthenticated users to execute arbitrary operating system commands.
QNX is a commercial Unix-like real-time operating system, aimed primarily at the embedded systems market. The QCONN daemon is a service provider that provides support, such as profiling system information, to remote IDE components. The QCONN daemon runs on port 8000 by default.
For more information about QNX QCONN, see:
- http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/utilities/q/qconn.html
- http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos
- http://www.exploit-db.com/exploits/21520
- http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec
Script Arguments
- qconn-exec.cmd
Set the operating system command to execute. The default value is "uname -a".
- qconn-exec.timeout
Set the timeout in seconds. The default value is 30.
- qconn-exec.bytes
Set the number of bytes to retrieve. The default value is 1024.
- vulns.short, vulns.showall
See the documentation for the vulns library.
Example Usage
nmap --script qconn-exec --script-args qconn-exec.timeout=60,qconn-exec.bytes=1024,qconn-exec.cmd="uname -a" -p <port> <target>
Script Output
PORT STATE SERVICE VERSION 8000/tcp open qconn qconn remote IDE support | qconn-exec: | VULNERABLE: | The QNX QCONN daemon allows remote command execution. | State: VULNERABLE | Risk factor: High | Description: | The QNX QCONN daemon allows unauthenticated users to execute arbitrary operating | system commands as the 'root' user. | | References: | http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos |_ http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec
Requires
Author:
License: Same as Nmap--See https://nmap.org/book/man-legal.html