Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] New script: qnx-qconn.nse
From: Brendan Coles <bcoles () gmail com>
Date: Sun, 28 Jul 2013 20:09:37 +1000

Better late than never. I've implemented all suggested changes. Revised
script attached.

Example output:

PORT     STATE SERVICE VERSION
8000/tcp open  qconn   qconn remote IDE support
| qnx-qconn:
|   VULNERABLE:
|   The QNX QCONN daemon allows remote command execution.
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       The QNX QCONN daemon allows unauthenticated users to execute
arbitrary operating
|       system commands as the 'root' user.
|
|     References:
|
http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos
|_      http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec




On Mon, Oct 8, 2012 at 2:16 AM, Paulino Calderon
<paulino () calderonpale com>wrote:

El 07/10/2012 08:01 a.m., Henri Doreau escribió:

2012/10/7 Brendan Coles <bcoles () gmail com>:

Hi nmap-dev,

Attached is qnx-qconn.nse which attempts to identify whether a listening
QNX QCONN daemon is vulnerable to command execution.

It has been tested on:
* QNX Neutrino 6.5.0
* QNX Neutrino 6.5.0 SP1

Example output:

PORT     STATE SERVICE VERSION
8000/tcp open  qconn   syn-ack qconn remote IDE support
| qnx-qconn:
|   Version: QNX localhost 6.5.0 2012/06/20-13:50:50EDT x86pc x86
|
|   Vulnerable to command execution vulnerability:
|_  
http://metasploit.org/modules/**exploit/unix/misc/qnx_qconn_**exec<http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec>

Feedback and suggestions are welcomed.


--
Brendan Coles
http://itsecuritysolutions.**org/ <http://itsecuritysolutions.org/>

Hello,

thanks for the script. I have a couple suggestions beside Patrik's ones:
   - Adding the 'vuln' category
   - Using to the vulns library for reporting
   - Use stdnse.parse_timespec() when parsing timeout specification
from --script-args.

Also, unless I miss something, the tonumber() statements have no
effect. I don't think this function modifies its argument in-place.

Regards



______________________________**_________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/**mailman/listinfo/nmap-dev<http://cgi.insecure.org/mailman/listinfo/nmap-dev>
Archived at http://seclists.org/nmap-dev/

It would be great if there was an argument to run other commands too.

Cheers.

______________________________**_________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/**mailman/listinfo/nmap-dev<http://cgi.insecure.org/mailman/listinfo/nmap-dev>
Archived at http://seclists.org/nmap-dev/




-- 
Brendan Coles
http://itsecuritysolutions.org/

Attachment: qnx-qconn.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]