Vulnerability Name: Authenticated Remote Code Execution
Vulnerability Description: The config.php file has a variable which takes a GET parameter value and parses it into a shell_exec(''); function without properly sanitizing any shell arguments, therefore remote code execution is possible.
Additionally as the media server is running as root by default attackers can use the sudo command within this shell_exec(''); function, this allows for privilege escalation by means of (Authenticated) Remote Code Execution.
Vendor Name: Quickbox
Vendor Affected Versions:
- QuickBox Pro v2.4.8
- QuickBox Community Edition v2.5.8
Responsible Disclosure platform: huntr.dev
Responsible Disclosure status: Finished
Exploitation Proof-of-Concept Video:
Other findings in quickbox:
- Stored XSS
- Reflected XSS -> CVE-2021-45281
- Violation of secure design principle
- Cross-Site Request Forgery
- Improper Access Control
- Remote Code Execution (Different Version) -> CVE-2021-44981
CVE Status: Requested (5) , 1/5 Already issued.
Credits: Joel Aviad Ossi, Jelle Ermerins, Alexander Bode
Writeup: Coming soon