Nmap qconn-exec NSE Script
This page contains detailed information about how to use the qconn-exec NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/qconn-exec.nse
Script categories: intrusive, exploit, vuln
Target service / protocol: qconn, tcp
Target network port(s): 8000
List of CVEs: -
Script Description
The qconn-exec.nse script attempts to identify whether a listening QNX QCONN daemon allows unauthenticated users to execute arbitrary operating system commands.
QNX is a commercial Unix-like real-time operating system, aimed primarily at the embedded systems market. The QCONN daemon is a service provider that provides support, such as profiling system information, to remote IDE components. The QCONN daemon runs on port 8000 by default.
For more information about QNX QCONN, see:
- http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/utilities/q/qconn.html
- http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos
- http://www.exploit-db.com/exploits/21520
- http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec
Qconn-exec NSE Script Arguments
This is a full list of arguments supported by the qconn-exec.nse script:
qconn-exec.bytesSet the number of bytes to retrieve. The default value is 1024.
qconn-exec.cmdSet the operating system command to execute. The default value is "uname -a".
qconn-exec.timeoutSet the timeout in seconds. The default value is 30.
vulns.shortIf set, vulnerabilities will be output in short format, a single line consisting of the host's target name or IP, the state, and either the CVE ID or the title of the vulnerability. Does not affect XML output.
vulns.showall
If set, the library will show and report all the registered vulnerabilities which includes the NOT VULNERABLE ones. By default the library will only report the VULNERABLE entries: VULNERABLE, LIKELY VULNERABLE, VULNERABLE (DoS) and VULNERABLE (Exploitable). This argument affects the following functions: vulns.Report.make_output(): the default output function for portule/hostrule scripts. vulns.make_output(): the default output function for postrule scripts. vulns.format_vuln() and vulns.format_vuln_table() functions.
- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..] syntax. For example:
nmap --script=qconn-exec --script-args qconn-exec.bytes=value,qconn-exec.cmd=value <target>Qconn-exec NSE Script Example Usage
Here's an example of how to use the qconn-exec.nse script:
nmap --script qconn-exec --script-args qconn-exec.timeout=60,qconn-exec.bytes=1024,qconn-exec.cmd="uname -a" -p <port> <target>
Qconn-exec NSE Script Example Output
Here's a sample output from the qconn-exec.nse script:
PORT STATE SERVICE VERSION
8000/tcp open qconn qconn remote IDE support
| qconn-exec:
| VULNERABLE:
| The QNX QCONN daemon allows remote command execution.
| State: VULNERABLE
| Risk factor: High
| Description:
| The QNX QCONN daemon allows unauthenticated users to execute arbitrary operating
| system commands as the 'root' user.
|
| References:
| http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos
|_ http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec
Qconn-exec NSE Script Example XML Output
There is no sample XML output for this module. However, by providing the -oX <file> option, Nmap will produce a XML output and save it in the file.xml file.
Author
- Brendan Coles
References
- https://nmap.org/nsedoc/scripts/qconn-exec.html
- https://github.com/nmap/nmap/tree/master/scripts/qconn-exec.nse
- http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/utilities/q/qconn.html
- http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos
- http://www.exploit-db.com/exploits/21520
- http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec
See Also
Visit Nmap NSE Library for more scripts.
Version
This page has been created based on Nmap version 7.92.
