Code Injection in quickbox/qb

Valid

Reported on

Dec 8th 2021


Description

While this is a theoretical finding the code seems to be vulnerable to Remote Code Execution

Proof of Concept Description

At line 406 you can see the following code:

$process = $_GET['serviceenable'];

This means we can do /dashboard/inc/config.php?serviceenable=ourvalue

Now between line 406 and 448 we can see that the values which are accepted are predefined except the 'else' statement.

This uses the following code:

  shell_exec("sudo systemctl enable $process@$username");
  shell_exec("sudo systemctl start $process@$username");

There are 3 things to note here:

  1. the shell_exec command is used which grants wathever value is used to execute system commands
  2. the sudo command is executed (assuming it has permissions to run systemctl without prompting for credentials this could lead to privilege escalation
  3. the parameter $process is parsing a shell command unsanitized / unescaped to the value through a GET parameter, this is dangerous as it allows user supplied input to control the execution flow.

Impact

Privilege Escalation & Remote Code Execution

Solution

You would want to use escapeshellarg() to sanitize the $process parameter. Example: $process = escapeshellarg($_GET['serviceenable']);

CVE Information

On approval of this vulnerability and confirmatin of a fix a CVE number will be requested

References

We are processing your report and will contact the quickbox/qb team within 24 hours. 6 months ago
WebSEC.nl submitted a
6 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 6 months ago
WebSEC.nl
6 months ago

Researcher


Another RCE has been discovered in another parameter in QuickBox Pro v2.4.8

Both QuickBox Pro v2.4.8 and QuickBox CE v2.5.8 are vulnerable to RCE, just a different parameter.

2 CVE's will be requested in the coming days, I will also be developing a PoC Exploit for this as a means to get a better understanding of the finding.

WebSEC.nl
6 months ago

Researcher


Meanwhile you can check out the PoC video here: https://i.gyazo.com/2b822530fe7a73a95f865cb270e01bd9.mp4

WebSEC.nl
6 months ago

Researcher


Video: https://screencast-o-matic.com/watch/crl6VvV20Mh

  • Exploit code available as 0-day (I will provide you with it on request)
We have contacted a member of the quickbox/qb team and are waiting to hear back 6 months ago
WebSEC.nl
6 months ago

Researcher


I just noticed that this issue has been discovered before me, it has just not been patched. This is not a 0day but a 1-day unfortunatley, finding can be closed.

WebSEC.nl
6 months ago

Researcher


I did submit a patch for it in github... however I am not sure the coders will do something with it.

quickbox/qb maintainer
6 months ago

Maintainer


I am currently patching this up on the Community Edition on GitHub. I had not seen a submitted PR for this on the QB Github. The project is no longer maintained full time as I focus developments on Pro. However, I will be working to resolve these findings as soon as possible. Thank you again for your findings, as well as your discretion.

WebSEC.nl
6 months ago

Researcher


Ah, thank you so much for the feedback. You are welcome. I am happy to see that this issue will be resolved, If I can help you with something please do let me know. :)

We have sent a follow up to the quickbox/qb team. We will try again in 7 days. 5 months ago
We have sent a second follow up to the quickbox/qb team. We will try again in 10 days. 5 months ago
We have sent a third and final follow up to the quickbox/qb team. This report is now considered stale. 5 months ago
quickbox/qb maintainer validated this vulnerability 4 months ago
WebSEC.nl has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome confirmed that a fix has been merged on 61c42a 4 months ago
WebSEC.nl has been awarded the fix bounty
to join this conversation