our findings

Developing a Remote Code Execution exploit for a popular media box

10 December, 2021

Vulnerability Name: Authenticated Remote Code Execution

Vulnerability Description: The config.php file has a variable which takes a GET parameter value and parses it into a shell_exec(''); function without properly sanitizing any shell arguments, therefore remote code execution is possible.

Additionally as the media server is running as root by default attackers can use the sudo command within this shell_exec(''); function, this allows for privilege escalation by means of (Authenticated) Remote Code Execution.

Vendor Name: Quickbox
Vendor Affected Versions:
- QuickBox Pro v2.4.8
- QuickBox Community Edition v2.5.8

Responsible Disclosure platform: huntr.dev
Responsible Disclosure status: Finished

Exploitation Proof-of-Concept Video:

Other findings in quickbox:

- Stored XSS
- Reflected XSS  -> CVE-2021-45281
- Violation of secure design principle
- Cross-Site Request Forgery
- Improper Access Control
- Remote Code Execution (Different Version) -> CVE-2021-44981

CVE Status: Requested (5) , 1/5 Already issued.
Credits: Joel Aviad Ossi, Jelle Ermerins, Alexander Bode

Writeup: Coming soon



Authored By

Founder & Pentester

Deel met de wereld!


Bent u er echt zeker van dat uw organisatie veilig is?

Bij WebSec helpen we u deze vraag te beantwoorden door geavanceerde beveiligingsbeoordelingen uit te voeren.

Wil je meer weten? Plan een gesprek in met een van onze experts.

Afspraak Inplannen
Authored By

Founder & Pentester