CVE-2022–24992: QRCDR ZeroDay Path Traversal Vulnerability

This post is about CVE-2022–24992 which refers to vulnerability in QRCDR widely used QR-Code generator script.

About QRCDR:

QRCDR is a popular PHP — JavaScript QR-Code Generator, which is widely used for creating customized QR-Code in easy steps.
also, it’s used by a few WordPress QR Code Generator Plugins and Mobile applications Which is not covered in this article.

Hello dear readers, it’s @n0lsec, Today I going to share with you details of the ZeroDay vulnerability which I was found in QRCDR (reported to the vendor and patched).

QRCDR— responsive QR Code generator

Core finding

  • QRCDR(5.2.7 and all prior versions are vulnerable ) to Directory Path Traversal Vulnerability.
  • POST parameters with optionlogo=[payload] which is malicious payload sent to leads to path traversal
  • According to server security configurations, the attacker can read arbitrary sensitive server files, configurations, etc
  • An attacker can escalate path-traversal to RCE in some cases

Mitigation

  • Just update to the latest version, At the time i wrote this post it is Version 5.2.9

How find?
Meanwhile working on a specific Bug Bounty program, which is called REDACTED.COM because of the information disclosure policy, I was found quite an interesting endpoint which leads customers to create customized QR-Code with extra options, I was opened browser inspector and watched to Request/Responses, so I realized part of script leads users to add a custom logo to our QR-Code which was so interesting to me,
here I opened the browser inspector and look at what we had, there was the main file of script process.php which is in the path: /ajax/process.php intercept POST request and body parameters, optionlogo looks like below:

the script provided some predefined logos and we can select one of them and load it into our QR-Code, The key part of vulnerability is hear which maybe let us find some interesting things like Path Traversal — LFI or maybe SSRF so I decided to check.

After some work I tried Path-Traversal, I have tried the first payload without encoding or any bypass method, and I had received /etc/passwd file content with base64-encoded. So that’s it.

Because of the severity, I was sent a report immediately to the vendor and I got rewarded!

REDACTED.COM’s Base64-Decoded contents of /etc/passwd

Report to Dev-Team

After checking the code, found out that the script is part of the QRCDR script, so I found the Dev-Team email and sent the details of a vulnerability, they responded quickly and fixed the vulnerability after a few hours. Considering that the script is popular and widely used, I decided to write this post.

what happened?

I searched the internet for the QRCDR script and found the null version, so I checked the code and found that the script does not completely clear the POST value of the optionlogo parameter and uses the code directly in the QR-Code.

part of process.php file, look at line 17 which is no any kind of sanitization

as you see mergeImage() function just create image with our injected payload and when it comes to SVG format we have some Directory-Path-Traversal magic like this:

<image xlink:href=”/etc/passwd(base64-encode)” > which is brings content of any files to us! :)

Mitigation

The vulnerability now fixed but if you want to fix it manually should know to remove any malicious content which can help attacker to change directory in file name and directory name.

  • removing any special characters in file | directory name [. / \ ]
  • thinking about cross-platform directory traversal characters
  • after all maybe configuring server with chroot-jail, cloudflare like functionality to prevent escalation maybe good choices.even i think hackers always find their ways:)

Feel free to contact me on twitter , i would appreciate it if you send me any problem , feedback and opinion.

--

--

--

relentless learner ;)

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

October with EPNS

TrueCoach video deletion bug

JWT Key Confusion Attack: Part1

Not Your Private Keys — Nothing to Worry About?

Paying The Ransom Is Not The Plan — The True Cost of Compromise

Sharing Drone Flying Plans

Winja CTF — C0C0N 2021

Lossless Development Update: April

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Farhad Karimi (n0lsec)

Farhad Karimi (n0lsec)

relentless learner ;)

More from Medium

How To Fix CVE-2022–20754(5)- Critical Command Injection And Arbitrary Code Execution…

Internet-Wide Study: State Of SPF, DKIM, And DMARC — RedHunt Labs

No Rate Limiting on Forget Password Page (Email Triggering)

vulnerable API (vAPI) writeup