Code Injection in quickbox/qb
Dec 8th 2021
While this is a theoretical finding the code seems to be vulnerable to Remote Code Execution
Proof of Concept Description
At line 406 you can see the following code:
$process = $_GET['serviceenable'];
This means we can do /dashboard/inc/config.php?serviceenable=ourvalue
Now between line 406 and 448 we can see that the values which are accepted are predefined except the 'else' statement.
This uses the following code:
shell_exec("sudo systemctl enable $process@$username"); shell_exec("sudo systemctl start $process@$username");
There are 3 things to note here:
- the shell_exec command is used which grants wathever value is used to execute system commands
- the sudo command is executed (assuming it has permissions to run systemctl without prompting for credentials this could lead to privilege escalation
- the parameter $process is parsing a shell command unsanitized / unescaped to the value through a GET parameter, this is dangerous as it allows user supplied input to control the execution flow.
Privilege Escalation & Remote Code Execution
You would want to use escapeshellarg() to sanitize the $process parameter. Example: $process = escapeshellarg($_GET['serviceenable']);
On approval of this vulnerability and confirmatin of a fix a CVE number will be requested
Another RCE has been discovered in another parameter in QuickBox Pro v2.4.8
Both QuickBox Pro v2.4.8 and QuickBox CE v2.5.8 are vulnerable to RCE, just a different parameter.
2 CVE's will be requested in the coming days, I will also be developing a PoC Exploit for this as a means to get a better understanding of the finding.
Meanwhile you can check out the PoC video here: https://i.gyazo.com/2b822530fe7a73a95f865cb270e01bd9.mp4
- Exploit code available as 0-day (I will provide you with it on request)
I just noticed that this issue has been discovered before me, it has just not been patched. This is not a 0day but a 1-day unfortunatley, finding can be closed.
I did submit a patch for it in github... however I am not sure the coders will do something with it.
I am currently patching this up on the Community Edition on GitHub. I had not seen a submitted PR for this on the QB Github. The project is no longer maintained full time as I focus developments on Pro. However, I will be working to resolve these findings as soon as possible. Thank you again for your findings, as well as your discretion.
Ah, thank you so much for the feedback. You are welcome. I am happy to see that this issue will be resolved, If I can help you with something please do let me know. :)