CVE-2022-24992: QRCDR ZeroDay Path Traversal Vulnerability
This post is about CVE-2022–24992 which refers to vulnerability in QRCDR's widely used QR-Code generator script.
About QRCDR:
QRCDR is a popular PHP — JavaScript QR-Code Generator, which is widely used for creating customized QR-Code in easy steps.
also, it’s used by a few WordPress QR Code Generator Plugins and Mobile applications Which is not covered in this article.
Hello dear readers, it’s @n0lsec, Today I going to share with you details of the zero-day vulnerability that I was found in QRCDR (reported to the vendor and patched).
Core finding
- QRCDR(5.2.7 and all prior versions are vulnerable ) to Directory Path Traversal Vulnerability.
- POST parameters with
optionlogo=[payload]which is a malicious payload sent to lead to path traversal - According to server security configurations, the attacker can read arbitrary sensitive server files, configurations, etc
- An attacker can escalate path traversal to
RCEin some cases
Mitigation
- Just update to the latest version, At the time I wrote this post it is Version 5.2.9
How to find it?
Meanwhile working on a specific Bug Bounty program, which is called REDACTED.COM because of the information disclosure policy, I found quite an interesting endpoint that leads customers to create customized QR-Code with extra options, I opened browser inspector and watched to Request/Responses, so I realized part of script leads users to add a custom logo to our QR-Code which was so interesting to me,
here I opened the browser inspector and looked at what we had, there was the main file of the script process.php which is in the path: /ajax/process.php intercept POST request and body parameters, optionlogo looks like below:
the script provided some predefined logos and we can select one of them and load it into our QR-Code, The key part of vulnerability is here which may let us find some interesting things like Path Traversal — LFI or maybe SSRF so I decided to check.
After some work I tried Path-Traversal, I tried the first payload without encoding or any bypass method, and I received /etc/passwd file content with base64-encoded. So that’s it.
Because of the severity, I was sent a report immediately to the vendor and I got rewarded!
/etc/passwdReport to Dev-Team
After checking the code, I found out that the script is part of the QRCDR script, so I found the Dev-Team email and sent the details of a vulnerability, they responded quickly and fixed the vulnerability after a few hours. Considering that the script is popular and widely used, I decided to write this post.
what happened?
I searched the internet for the QRCDR script and found the null version, so I checked the code and found that the script does not completely clear the POST value of the optionlogo parameter and uses the code directly in the QR code.
as you see mergeImage() the function creates an image with our injected payload and when it comes to SVG the format we have some Directory-Path-Traversal magic like this:
<image xlink:href=”/etc/passwd(base64-encode)” > which brings the content of any files to us! :)
Mitigation
The vulnerability is now fixed, but if you want to fix it manually, you should know to remove any malicious content that can help an attacker change the directory file name and directory name.
- removing any special characters in file | directory name
[. / \ ] - thinking about cross-platform directory traversal characters
- after all maybe configuring the server with
chroot-jail,cloudflarelike functionality to prevent escalation may be a good choice. even I think hackers always find their ways:)
Feel free to contact me on Twitter, I would appreciate it if you send me any problems, feedback, or opinion.
