lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAANd3VK6Aw6FBqnz4Vzp/Y97CgAAAEAAAAAYYFCxpfTdNvLHQyf3ibOgBAAAAAA==@thegrideon.com>
Date: Tue, 10 May 2016 22:31:39 +0300
From: "Thegrideon Software" <info@...grideon.com>
To: <fulldisclosure@...lists.org>
Subject: [FD] Intuit QuickBooks 2007 - 2016 Arbitrary Code Execution

+ Credits: Maxim Tomashevich from Thegrideon Software
+ Website: https://www.thegrideon.com/
+ Details: https://www.thegrideon.com/qb-internals-sql.html

Vendor:
---------------------
www.intuit.com, www.intuit.ca, www.intuit.co.uk

Product:
---------------------
QuickBooks Desktop versions: 2007 - 2016

Vulnerability Type:
---------------------
Arbitrary SQL / Code Execution

Vulnerability Details:
---------------------
QuickBooks company files are SQL Anywhere database files and other QB
formats are based on SQL Anywhere features as well. SQL code (Watcom SQL) is
important part of QB workflow and it is arguably more powerful than VBA in
MS Access or Excel and at the same time it is completely hidden and starts
automatically with every opened file!
Functions like xp_write_file, xp_cmdshell are included by default allowing
"rootkit" installation in just 3 lines of code: get data from table ->
xp_write_file -> xp_cmdshell. Procedure in one database can be used to
insert code into another directly or using current user credential. Moreover
real database content is hidden from QuickBooks users, so there is virtually
unlimited storage for code, stolen data, etc.
QBX (accountant's transfer copies) and QBM (portable company files) are even
easier to modify but supposed to be send to outside accountant for
processing during normal workflow. QBX and QBM are compressed SQL dumps, so
SQL modification is as hard as replacing zlib compressed "reload.sql" file
inside compound file!

In all cases QuickBooks do not attempt (and have no ways) to verify SQL
scripts and start them automatically with "DBA" privileges, thus it should
be obvious that all outside files (qbw, qba, qbx, qbm) should be considered
extremely dangerous.
SQL Anywhere is built for embedded applications so there are number of
tricks and functions (like SET HIDDEN clause) to protect SQL code from
analysis making this severe QuickBooks design flaw.

Proof of Concept:
---------------------
Below you can find company file created in QB 2009 and modified to start
"Notepad.exe" upon every user login (Admin, no pass). This example will work
in any version including 2016 (US, CA, UK) - login procedure execution is
required in order to check QB version or edition or to start update, so you
will see Notepad before QB "wrong version" error message.
https://www.thegrideon.com/qbint/QBFp.zip

Disclosure Timeline:
---------------------
Contacted Vendor: 2016-03-21
Contacted PCI Security Consul: 2016-04-15
PCI Security Consul: 2016-04-19 "we are looking into this matter", but no
details requested.
PoC sent to Vendor: 2016-04-26
[unexpected and strange day by day activity from Intuit India employees on
our website without any attempts to communicate -> public disclosure.]
Public Disclosure: 2016-05-10

Severity Level:
---------------------
High

Disclaimer:
---------------------
Permission is hereby granted for the redistribution of this text, provided
that it is not altered except by reformatting, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author. The author is not
responsible for any misuse of the information contained herein and prohibits
any malicious use of all security related information or exploits by the
author or elsewhere.



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ