Script `qconn-exec`

Script types: portrule
Categories: intrusive, exploit, vuln
Download: https://svn.nmap.org/nmap/scripts/qconn-exec.nse

Script Summary

Attempts to identify whether a listening QNX QCONN daemon allows unauthenticated users to execute arbitrary operating system commands.

QNX is a commercial Unix-like real-time operating system, aimed primarily at the embedded systems market. The QCONN daemon is a service provider that provides support, such as profiling system information, to remote IDE components. The QCONN daemon runs on port 8000 by default.

For more information about QNX QCONN, see:

Script Arguments

qconn-exec.cmd: Set the operating system command to execute. The default value is "uname -a".
qconn-exec.timeout: Set the timeout in seconds. The default value is 30.
qconn-exec.bytes: Set the number of bytes to retrieve. The default value is 1024.
vulns.short, vulns.showall: See the documentation for the vulns library.

Example Usage

nmap --script qconn-exec --script-args qconn-exec.timeout=60,qconn-exec.bytes=1024,qconn-exec.cmd="uname -a" -p <port> <target>

Script Output

PORT     STATE SERVICE VERSION
8000/tcp open  qconn   qconn remote IDE support
| qconn-exec:
|   VULNERABLE:
|   The QNX QCONN daemon allows remote command execution.
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       The QNX QCONN daemon allows unauthenticated users to execute arbitrary operating
|       system commands as the 'root' user.
|
|     References:
|       http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos
|_      http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec

Requires

Author:

Brendan Coles