[<prev] [next>] [day] [month] [year] [list]
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAANd3VK6Aw6FBqnz4Vzp/Y97CgAAAEAAAAAYYFCxpfTdNvLHQyf3ibOgBAAAAAA==@thegrideon.com>
Date: Tue, 10 May 2016 22:31:39 +0300
From: "Thegrideon Software" <info@...grideon.com>
To: <fulldisclosure@...lists.org>
Subject: [FD] Intuit QuickBooks 2007 - 2016 Arbitrary Code Execution
+ Credits: Maxim Tomashevich from Thegrideon Software
+ Website: https://www.thegrideon.com/
+ Details: https://www.thegrideon.com/qb-internals-sql.html
Vendor:
---------------------
www.intuit.com, www.intuit.ca, www.intuit.co.uk
Product:
---------------------
QuickBooks Desktop versions: 2007 - 2016
Vulnerability Type:
---------------------
Arbitrary SQL / Code Execution
Vulnerability Details:
---------------------
QuickBooks company files are SQL Anywhere database files and other QB
formats are based on SQL Anywhere features as well. SQL code (Watcom SQL) is
important part of QB workflow and it is arguably more powerful than VBA in
MS Access or Excel and at the same time it is completely hidden and starts
automatically with every opened file!
Functions like xp_write_file, xp_cmdshell are included by default allowing
"rootkit" installation in just 3 lines of code: get data from table ->
xp_write_file -> xp_cmdshell. Procedure in one database can be used to
insert code into another directly or using current user credential. Moreover
real database content is hidden from QuickBooks users, so there is virtually
unlimited storage for code, stolen data, etc.
QBX (accountant's transfer copies) and QBM (portable company files) are even
easier to modify but supposed to be send to outside accountant for
processing during normal workflow. QBX and QBM are compressed SQL dumps, so
SQL modification is as hard as replacing zlib compressed "reload.sql" file
inside compound file!
In all cases QuickBooks do not attempt (and have no ways) to verify SQL
scripts and start them automatically with "DBA" privileges, thus it should
be obvious that all outside files (qbw, qba, qbx, qbm) should be considered
extremely dangerous.
SQL Anywhere is built for embedded applications so there are number of
tricks and functions (like SET HIDDEN clause) to protect SQL code from
analysis making this severe QuickBooks design flaw.
Proof of Concept:
---------------------
Below you can find company file created in QB 2009 and modified to start
"Notepad.exe" upon every user login (Admin, no pass). This example will work
in any version including 2016 (US, CA, UK) - login procedure execution is
required in order to check QB version or edition or to start update, so you
will see Notepad before QB "wrong version" error message.
https://www.thegrideon.com/qbint/QBFp.zip
Disclosure Timeline:
---------------------
Contacted Vendor: 2016-03-21
Contacted PCI Security Consul: 2016-04-15
PCI Security Consul: 2016-04-19 "we are looking into this matter", but no
details requested.
PoC sent to Vendor: 2016-04-26
[unexpected and strange day by day activity from Intuit India employees on
our website without any attempts to communicate -> public disclosure.]
Public Disclosure: 2016-05-10
Severity Level:
---------------------
High
Disclaimer:
---------------------
Permission is hereby granted for the redistribution of this text, provided
that it is not altered except by reformatting, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author. The author is not
responsible for any misuse of the information contained herein and prohibits
any malicious use of all security related information or exploits by the
author or elsewhere.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists