Developing a Remote Code Execution exploit for a popular media box

Vulnerability Name: Authenticated Remote Code Execution

Vulnerability Description: The config.php file has a variable which takes a GET parameter value and parses it into a shell_exec(''); function without properly sanitizing any shell arguments, therefore remote code execution is possible.

Additionally as the media server is running as root by default attackers can use the sudo command within this shell_exec(''); function, this allows for privilege escalation by means of (Authenticated) Remote Code Execution.

Vendor Name: Quickbox
Vendor Affected Versions:
- QuickBox Pro v2.4.8
- QuickBox Community Edition v2.5.8

Responsible Disclosure platform:
Responsible Disclosure status: Finished

Exploitation Proof-of-Concept Video:

Other findings in quickbox:

- Stored XSS
- Reflected XSS  -> CVE-2021-45281
- Violation of secure design principle
- Cross-Site Request Forgery
- Improper Access Control
- Remote Code Execution (Different Version) -> CVE-2021-44981

CVE Status: Requested (5) , 1/5 Already issued.
Credits: Joel Aviad Ossi, Jelle Ermerins, Alexander Bode

Writeup: Coming soon