our findings

Developing a Remote Code Execution exploit for a popular media box

Joel Aviad Ossi
10 December, 2021

Vulnerability Name: Authenticated Remote Code Execution

Vulnerability Description: The config.php file has a variable which takes a GET parameter value and parses it into a shell_exec(''); function without properly sanitizing any shell arguments, therefore remote code execution is possible.

Additionally as the media server is running as root by default attackers can use the sudo command within this shell_exec(''); function, this allows for privilege escalation by means of (Authenticated) Remote Code Execution.

Vendor Name: Quickbox
Vendor Affected Versions:
- QuickBox Pro v2.4.8
- QuickBox Community Edition v2.5.8

Responsible Disclosure platform: huntr.dev
Responsible Disclosure status: Finished

Exploitation Proof-of-Concept Video:

Other findings in quickbox:

- Stored XSS
- Reflected XSS  -> CVE-2021-45281
- Violation of secure design principle
- Cross-Site Request Forgery
- Improper Access Control
- Remote Code Execution (Different Version) -> CVE-2021-44981

CVE Status: Requested (5) , 1/5 Already issued.
Credits: Joel Aviad Ossi, Jelle Ermerins, Alexander Bode

Writeup: Coming soon



Authored By
Joel Aviad Ossi

Managing Director

Share with the world!

Need Security?

Are you really sure your organization is secure?

At WebSec we help you answer this question by performing advanced security assessments.

Want to know more? Schedule a call with one of our experts.

Schedule a call
Authored By
Joel Aviad Ossi

Managing Director