This is a uncomplicated user submitted conduct on Hacking QNX systems over QCONN port(8000). 
In example y'all are wondering what is a QNX system, QNX is a mobile operating organization that was originally developed for embedded systems. The operating system’s developer, QNX Software Systems, was acquired past times Research inwards Motion (RIM) too the OS adapted for utilisation inwards the BlackBerry Playbook tablet. At the Geneva Motor Show, Apple demonstrated CarPlay which provides an iOS-like user interface to caput units inwards compatible vehicles. Once configured past times the automaker, QNX tin forcefulness out live on programmed to handoff its display too certainly functionality to an Apple Carplay device.On Dec 11, 2014, Ford Motor Company stated the companionship would live on replacing Microsoft Auto alongside QNX.
I estimate that is plenty intro. Let’s become into the existent interesting part.
Requirements:
- QNX organization 650SP1 target ISO, running on VMware or Virtual Box.
- Qconn daemon running on the system
- Kali Linux (or whatsoever other having netcat)
Qconn – It’s a daemon which provides visibility for looking at File System too System Processes too a lot more, via the QNX Momentics IDE.
The higher upward ii are snapshots of what the QNX Momentics IDE shows.
Hacking QNX systems over QCONN
The affair alongside QNX Momentics IDE is that it does non require password to authenticate incoming qconn request. This is a cardinal flaw which QNX Systems should hold back at.
In our case, nosotros volition create got wages of this flaw of Qconn, to obtain root privilege rhythm on assault machine, using the below uncomplicated steps. We volition utilisation everybody’s favorite “netcat” utility to gain access or communicate. Run the next commands shown inwards the screenshot:
and y'all inwards every bit a privileged user. This is real straightforward too does non require whatsoever complex buffer overflows or code vulnerabilities/exploits. It’s but the trend QNX organization is too is a pretty large flaw. However, inwards production degree systems “QCONN” is by too large non enabled or blocked.
As per my query I could non detect a unmarried opened upward Qconn port(8000) on shodan.io for whatsoever device inwards the world, in all likelihood closed to smart hacker tin forcefulness out figure that out every bit well.
Troubleshoot
- In closed to cases, y'all volition require to alter the place of the rhythm i.e instead of “/bin/sh” the rhythm on the organization could live on located at “/usr/bin/sh” or /bin/ksh” or “/sbin/sh”, brand necessary changes to the ascendance on “nc” input line.
- Remember practice non press enter, before the ascendance is finished. Also, if y'all become the rhythm place incorrect or press come inwards before EOC, thence y'all may create got to restart.
- Better trend write a python script to automate.
References too farther reading (existing ones)
- https://www.exploit-db.com/exploits/21520/ ( I constitute it the other trend to practice it)
- https://www.optiv.com/blog/pentesting-qnx-neutrino-rtos
- http://illmatics.com/Remote%20Car%20Hacking.pdf
Where this tin forcefulness out live on used?
- University Systems for the curious hacker inwards you
- Front End Industrial systems(This should non piece of employment here, if it does, y'all constitute a gilt mine)
- Routers etc.
As stated earlier, this is a user submitted post. Please take in Original article link submitted past times Abhijit:
https://abhijitlamsogeblog.wordpress.com/2016/05/04/pwninghacking-qnx-systems-over-qconn/
User submission Notes: past times Abhijit
User submission Notes: past times Abhijit
Hi Blackmoreops,
Your site has ever been a groovy reference betoken for me, thence I idea I would contribute closed to to it.
This is an article I wrote on how to hack QNX systems’ QCONN port for fun.
It is a uncomplicated article but for fun, which if y'all similar tin forcefulness out seat upward on your website.
Thanks
Abhijit
