[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Intuit QuickBooks 2007 - 2016 Arbitrary Code Execution

+ Credits: Maxim Tomashevich from Thegrideon Software
+ Website: https://www.thegrideon.com/
+ Details: https://www.thegrideon.com/qb-internals-sql.html

Vendor:
---------------------
www.intuit.com
www.intuit.ca
www.intuit.co.uk


Product:
---------------------
QuickBooks Desktop
versions: 2007 - 2016


Vulnerability Type:
---------------------
Arbitrary SQL / Code Execution


Vulnerability Details:
---------------------
QuickBooks company files are SQL Anywhere database files and other QB formats 
are based on SQL Anywhere features as well. SQL code (Watcom SQL) is important 
part of QB workflow and it is arguably more powerful than VBA in MS Access or 
Excel and at the same time it is completely hidden and starts automatically 
with every opened file!
Functions like xp_write_file, xp_cmdshell are included by default allowing 
"rootkit" installation in just 3 lines of code: get data from table -> 
xp_write_file -> xp_cmdshell. Procedure in one database can be used to insert 
code into another directly or using current user credential. Moreover real 
database content is hidden from QuickBooks users, so there is virtually 
unlimited storage for code, stolen data, etc.
QBX (accountant's transfer copies) and QBM (portable company files) are even 
easier to modify but supposed to be send to outside accountant for processing 
during normal workflow. QBX and QBM are compressed SQL dumps, so SQL 
modification is as hard as replacing zlib compressed "reload.sql" file inside 
compound file.
In all cases QuickBooks do not attempt (and have no ways) to verify SQL scripts 
and start them automatically with "DBA" privileges.
It should be obvious that all outside files (qbw, qba, qbx, qbm) should be 
considered extremely dangerous.
SQL Anywhere is built for embedded applications so there are number of tricks 
and functions (like SET HIDDEN clause) to protect SQL code from analysis making 
this severe QuickBooks design flaw.


Proof of Concept:
---------------------
Below you can find company file created in QB 2009 and modified to start 
"Notepad.exe" upon every user login (Admin, no pass). This example will work in 
any version including 2016 (US, CA, UK) - login procedure execution is required 
in order to check QB version or edition or to start update, so you will see 
Notepad before QB "wrong version" error message.
https://www.thegrideon.com/qbint/QBFp.zip


Disclosure Timeline:
---------------------
Contacted Vendor: 2016-03-21
Contacted PCI Security Consul: 2016-04-15
PCI Security Consul: 2016-04-19 "we are looking into this matter", but no 
details requested.
PoC sent to Vendor: 2016-04-26
[Unexpected and strange day by day activity from Intuit India employees on our 
website without any attempts to communicate -> public disclosure.]
Public Disclosure: 2016-05-10


Severity Level:
---------------------
High


Disclaimer:
---------------------
Permission is hereby granted for the redistribution of this text, provided that 
it is not altered except by reformatting, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author. The author is not 
responsible for any misuse of the information contained herein and prohibits 
any malicious use of all security related information or exploits by the author 
or elsewhere.