ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
51 lines
No EOL
3.4 KiB
Text
51 lines
No EOL
3.4 KiB
Text
+ Credits: Maxim Tomashevich from Thegrideon Software
|
|
+ Website: https://www.thegrideon.com/
|
|
+ Details: https://www.thegrideon.com/qb-internals-sql.html
|
|
|
|
Vendor:
|
|
---------------------
|
|
www.intuit.com
|
|
www.intuit.ca
|
|
www.intuit.co.uk
|
|
|
|
Product:
|
|
---------------------
|
|
QuickBooks Desktop
|
|
versions: 2007 - 2016
|
|
|
|
Vulnerability Type:
|
|
---------------------
|
|
Arbitrary SQL / Code Execution
|
|
|
|
Vulnerability Details:
|
|
---------------------
|
|
QuickBooks company files are SQL Anywhere database files and other QB formats are based on SQL Anywhere features as well. SQL code (Watcom SQL) is important part of QB workflow and it is arguably more powerful than VBA in MS Access or Excel and at the same time it is completely hidden and starts automatically with every opened file!
|
|
Functions like xp_write_file, xp_cmdshell are included by default allowing "rootkit" installation in just 3 lines of code: get data from table -> xp_write_file -> xp_cmdshell. Procedure in one database can be used to insert code into another directly or using current user credential. Moreover real database content is hidden from QuickBooks users, so there is virtually unlimited storage for code, stolen data, etc.
|
|
QBX (accountant's transfer copies) and QBM (portable company files) are even easier to modify but supposed to be send to outside accountant for processing during normal workflow. QBX and QBM are compressed SQL dumps, so SQL modification is as hard as replacing zlib compressed "reload.sql" file inside compound file.
|
|
In all cases QuickBooks do not attempt (and have no ways) to verify SQL scripts and start them automatically with "DBA" privileges.
|
|
It should be obvious that all outside files (qbw, qba, qbx, qbm) should be considered extremely dangerous.
|
|
SQL Anywhere is built for embedded applications so there are number of tricks and functions (like SET HIDDEN clause) to protect SQL code from analysis making this severe QuickBooks design flaw.
|
|
|
|
Proof of Concept:
|
|
---------------------
|
|
Below you can find company file created in QB 2009 and modified to start "Notepad.exe" upon every user login (Admin, no pass). This example will work in any version including 2016 (US, CA, UK) - login procedure execution is required in order to check QB version or edition or to start update, so you will see Notepad before QB "wrong version" error message.
|
|
|
|
https://www.thegrideon.com/qbint/QBFp.zip
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39804.zip
|
|
|
|
Disclosure Timeline:
|
|
---------------------
|
|
Contacted Vendor: 2016-03-21
|
|
Contacted PCI Security Consul: 2016-04-15
|
|
PCI Security Consul: 2016-04-19 "we are looking into this matter", but no details requested.
|
|
PoC sent to Vendor: 2016-04-26
|
|
[Unexpected and strange day by day activity from Intuit India employees on our website without any attempts to communicate -> public disclosure.]
|
|
Public Disclosure: 2016-05-10
|
|
|
|
Severity Level:
|
|
---------------------
|
|
High
|
|
|
|
Disclaimer:
|
|
---------------------
|
|
Permission is hereby granted for the redistribution of this text, provided that it is not altered except by reformatting, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. |