Pwning/Hacking QNX systems over QCONN

Yeah, you heard it right. Today we are going to take a look at how to hack into a QNX system over its QCONN port(8000).

Requirement:

  1. QNX system 650SP1 target ISO, running on VMware or Virtual Box.
  2. Qconn daemon running on the system
  3. Kali Linux (or any other having netcat)

Qconn – It’s a daemon which provides visibility for looking at File System and System Processes and a lot more, via the QNX Momentics IDE.

QNX-Momentics-Target-Process-NavigatorQNX-Momentics-Target-Fike-System-Navigator

The above two are snapshots of what the QNX Momentics IDE shows.

Actual Hack :-

The thing with QNX Momentics IDE is that it does not require password to authenticate incoming qconn request. This is a fundamental flaw which QNX Systems should look at.

In our case, we will take advantage of this flaw of Qconn, to obtain root privilege shell on attack machine, using the below simple steps. We will use everybody’s favourite “netcat” utility to gain access or communicate.

QNX-Pwing-Sequence-Over-Qconn-and-Netcat

The above steps are pretty clear, enter IP-Address and 8000 Port of the QNX machine and execute the instructions given above and you are sorted0…!!!

NOTE:- This fun is just straightforward way, no buffer overflows/no vulnerabilities in code are exploited, it’s just the way QNX system is and is a pretty big flaw.

However, in production level systems “QCONN” is generally not enabled or blocked.

As per my research I could not find a single open Qconn port(8000) on shodan.io for any device in the world, probably some smart hacker can figure that out as well.

TroubleShoot :-

  • In some cases, you will need to change the location of the shell i.e instead of “/bin/sh” the shell on the system could be located at “/usr/bin/sh” or /bin/ksh” or “/sbin/sh”, make necessary changes to the command on “nc” input line.
  • Remember do not press enter, before the command is finished. Also, if you get the shell location wrong or press enter before EOC, then you may have to restart.
  • Better way write a python script to automate.

 

References  and further reading :- (Already Existing ones)

  1. https://www.exploit-db.com/exploits/21520/ ( I found it the other way to do it)
  2. https://www.optiv.com/blog/pentesting-qnx-neutrino-rtos
  3. http://illmatics.com/Remote%20Car%20Hacking.pdf

Where this can be used ?

  1. University Systems for the curious hacker in you
  2. Front End Industrial systems(This should not work here, if it does, you found a gold mine)
  3. Routers etc.

I have used this on QNX 6.5.0 systems, but I am sure, that it will work as it is.

I suggest to use this to satisfy your mental thirst.

In the next part, I will show you how I came up about this using wireshark, till that time you folks can take this as homework.

Disclaimer:- I am not responsible for anybody using this hack in illegal ways*.

* – Everyway.

Leave a Reply

Your email address will not be published. Required fields are marked *