Developing a Remote Code Execution exploit for a popular media box

author profile picture by Joël Aviad Ossi

Vulnerability Name: Authenticated Remote Code Execution

Vulnerability Description: The config.php file has a variable which takes a GET parameter value and parses it into a shell_exec(''); function without properly sanitizing any shell arguments, therefore remote code execution is possible.

Additionally as the media server is running as root by default attackers can use the sudo command within this shell_exec(''); function, this allows for privilege escalation by means of (Authenticated) Remote Code Execution.

Vendor Name: Quickbox
Vendor Affected Versions:
- QuickBox Pro v2.4.8
- QuickBox Community Edition v2.5.8

Responsible Disclosure platform: huntr.dev
Responsible Disclosure status: In Progress

Exploitation Proof-of-Concept Video:

Other findings in quickbox:

- Stored XSS
- Reflected XSS
- Violation of secure design principle
- Cross-Site Request Forgery
- Improper Access Control

CVE Status: Requested (5)
Credits: Joel Aviad Ossi, Jelle Ermerins, Alexander Bode

Writeup: Coming soon