exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

QuickBooks Desktop SQL Injection / Code Execution

QuickBooks Desktop SQL Injection / Code Execution
Posted May 11, 2016
Authored by Maxim Tomashevich

QuickBooks Desktop versions 2007 through 2016 suffers from SQL injection and code execution vulnerabilities.

tags | advisory, vulnerability, code execution, sql injection
SHA-256 | 522210df2f1638a874161c747425539463331fcf2caf494e89043f5ce88c2e80

QuickBooks Desktop SQL Injection / Code Execution

Change Mirror Download
+ Credits: Maxim Tomashevich from Thegrideon Software
+ Website: https://www.thegrideon.com/
+ Details: https://www.thegrideon.com/qb-internals-sql.html

Vendor:
---------------------
www.intuit.com
www.intuit.ca
www.intuit.co.uk


Product:
---------------------
QuickBooks Desktop
versions: 2007 - 2016


Vulnerability Type:
---------------------
Arbitrary SQL / Code Execution


Vulnerability Details:
---------------------
QuickBooks company files are SQL Anywhere database files and other QB formats are based on SQL Anywhere features as well. SQL code (Watcom SQL) is important part of QB workflow and it is arguably more powerful than VBA in MS Access or Excel and at the same time it is completely hidden and starts automatically with every opened file!
Functions like xp_write_file, xp_cmdshell are included by default allowing "rootkit" installation in just 3 lines of code: get data from table -> xp_write_file -> xp_cmdshell. Procedure in one database can be used to insert code into another directly or using current user credential. Moreover real database content is hidden from QuickBooks users, so there is virtually unlimited storage for code, stolen data, etc.
QBX (accountant's transfer copies) and QBM (portable company files) are even easier to modify but supposed to be send to outside accountant for processing during normal workflow. QBX and QBM are compressed SQL dumps, so SQL modification is as hard as replacing zlib compressed "reload.sql" file inside compound file.
In all cases QuickBooks do not attempt (and have no ways) to verify SQL scripts and start them automatically with "DBA" privileges.
It should be obvious that all outside files (qbw, qba, qbx, qbm) should be considered extremely dangerous.
SQL Anywhere is built for embedded applications so there are number of tricks and functions (like SET HIDDEN clause) to protect SQL code from analysis making this severe QuickBooks design flaw.


Proof of Concept:
---------------------
Below you can find company file created in QB 2009 and modified to start "Notepad.exe" upon every user login (Admin, no pass). This example will work in any version including 2016 (US, CA, UK) - login procedure execution is required in order to check QB version or edition or to start update, so you will see Notepad before QB "wrong version" error message.
https://www.thegrideon.com/qbint/QBFp.zip


Disclosure Timeline:
---------------------
Contacted Vendor: 2016-03-21
Contacted PCI Security Consul: 2016-04-15
PCI Security Consul: 2016-04-19 "we are looking into this matter", but no details requested.
PoC sent to Vendor: 2016-04-26
[Unexpected and strange day by day activity from Intuit India employees on our website without any attempts to communicate -> public disclosure.]
Public Disclosure: 2016-05-10


Severity Level:
---------------------
High


Disclaimer:
---------------------
Permission is hereby granted for the redistribution of this text, provided that it is not altered except by reformatting, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close