CVE-2020-13448
published 2020-06-01CVE-2020-13448: QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8 allows an authenticated remote attacker to execute code on the server via command…
PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
17.77%
96.8th percentile
QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8 allows an authenticated remote attacker to execute code on the server via command injection in the servicestart parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| quickbox | quickbox | <= 2.5.5 | — |
| quickbox | quickbox | <= 2.1.8 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Authenticated QuickBox CE 2.5.5/Pro 2.1.8 RCE Attempt Inbound M1 (CVE-2020-13448)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?id=88&servicestart="; fast_pattern; content:"|3b|sudo"; distance:0; reference:url,www.exploit-db.com/exploits/48536; reference:url,s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/; reference:cve,2020-13448; classtype:attempted-admin; sid:2030237; rev:1; metadata:attack_target Web_Server, created_at 2020_06_02, cve CVE_2020_13448, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_06_02;)
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Authenticated QuickBox CE 2.5.5/Pro 2.1.8 RCE Attempt Inbound M2 (CVE-2020-13448)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?id=88&servicestart="; fast_pattern; content:"|3b|wget"; distance:0; reference:url,www.exploit-db.com/exploits/48536; reference:url,s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/; reference:cve,2020-13448; classtype:attempted-admin; sid:2030238; rev:1; metadata:attack_target Web_Server, created_at 2020_06_02, cve CVE_2020_13448, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_06_02;)
- →Command injection is delivered via the `servicestart` parameter in a GET request to `/index.php?id=88&servicestart=`. Injected commands are semicolon-delimited (URL-encoded as %3B). Monitor for semicolons followed by shell commands in this parameter. ↗
- →Authentication is performed via a POST to `/inc/process.php` with `form_submission=login` before exploitation. Correlate a POST login event followed by a suspicious GET to `/index.php?id=88&servicestart=` from the same session/IP. ↗
- →The ET Snort rule M1 (sid:2030237) detects the URI pattern `/index.php?id=88&servicestart=` followed by the byte sequence `|3b|sudo` (semicolon + 'sudo'), indicating privilege escalation via sudo in the injected command.
- →The ET Snort rule M2 (sid:2030238) detects the URI pattern `/index.php?id=88&servicestart=` followed by the byte sequence `|3b|wget` (semicolon + 'wget'), indicating a payload download stage in the injected command.
- →Post-exploitation privilege escalation to root can occur via weak sudo rules allowing `mysql` or `mount`. Alert on `www-data` executing `sudo mysql` or `sudo mount` on QuickBox servers. ↗
- ·The exploit requires prior authentication (low-privileged user). Detection rules should account for authenticated sessions; pure unauthenticated scanning will not trigger this vulnerability. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Authenticated QuickBox CE 2.5.5/Pro 2.1.8 RCE Attempt Inbound M2 (CVE-2020-13448)
suricata·2020-06-02·CVSS 8.8
CVE-2020-13448 [HIGH] ET EXPLOIT Authenticated QuickBox CE 2.5.5/Pro 2.1.8 RCE Attempt Inbound M2 (CVE-2020-13448)
ET EXPLOIT Authenticated QuickBox CE 2.5.5/Pro 2.1.8 RCE Attempt Inbound M2 (CVE-2020-13448)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Authenticated QuickBox CE 2.5.5/Pro 2.1.8 RCE Attempt Inbound M2 (CVE-2020-13448)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?id=88&servicestart="; fast_pattern; content:"|3b|wget"; distance:0; reference:url,www.exploit-db.com/exploits/48536; reference:url,s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/; reference:cve,2020-13448; classtype:attempted-admin; sid:2030238; rev:1; metadata:attack_target Web_Server, created_at 2020_06_02, cve CVE_2020_13448, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_06_02;)
Suricata
ET EXPLOIT Authenticated QuickBox CE 2.5.5/Pro 2.1.8 RCE Attempt Inbound M1 (CVE-2020-13448)
suricata·2020-06-02·CVSS 8.8
CVE-2020-13448 [HIGH] ET EXPLOIT Authenticated QuickBox CE 2.5.5/Pro 2.1.8 RCE Attempt Inbound M1 (CVE-2020-13448)
ET EXPLOIT Authenticated QuickBox CE 2.5.5/Pro 2.1.8 RCE Attempt Inbound M1 (CVE-2020-13448)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Authenticated QuickBox CE 2.5.5/Pro 2.1.8 RCE Attempt Inbound M1 (CVE-2020-13448)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?id=88&servicestart="; fast_pattern; content:"|3b|sudo"; distance:0; reference:url,www.exploit-db.com/exploits/48536; reference:url,s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/; reference:cve,2020-13448; classtype:attempted-admin; sid:2030237; rev:1; metadata:attack_target Web_Server, created_at 2020_06_02, cve CVE_2020_13448, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_06_02;)
No writeups or analysis indexed.
2020-06-01
Published