- A critical vulnerability that allowed remote code injection was discovered in multiple versions of the relatively popular BillQuick billing software.
- The exploit comes from using MSSQL database injections that give access to CMDshell functions on the underlying OS.
- The attacks permitted the hackers to access customer data and deploy malware.
A vulnerability in BillQuick (a very popular billing app with over 400,000 users worldwide) that allows SQL injection for unauthenticated remote code execution was exploited in the wild this month for ransomware deployment. This critical flaw was given the number CVE-2021-42258, and it concerns the BQE BillQuick Web Suite 2018 through 2021, before 188.8.131.52.
The researcher’s team used SQL injection-based attacks to execute malicious commands on the target device. The vulnerability set includes the following CVE-2021-42344, CVE-2021-42345, CVE-2021-42346, CVE-2021-42571, CVE-2021-42572, CVE-2021-42573, CVE-2021-42741, and CVE-2021-42742. All of these are part of the BillQuick WebSuite 2021 version 184.108.40.206.
The team discovered a number of suspicious activities on the MSSQLSERVER$ service account thrown up by their Ransomware Canary files as well as Microsoft Defender antivirus. They looked through the connection logs and found a foreign IP transmitting POST requests on repeat. This request was sent to the webserver login endpoint right up to the first infection instance. They began tracking the attacker’s steps back to the infection’s origin point.
Looking at the SQL injections, the researchers found some queries on the server-side code that allowed queries inserted into the MSSQL database. This enabled the injection of queries into the database via the login screen. Upon recreating a compromised device’s environment, they found that BillQuick allows anyone with MSSQL system admin privileges and the SQL injection to use xp_cmdshell procedures. This granted the hacker access to the system OS and enabled it to execute codes remotely. They have explained the entire process of the SQL injection line and its database=driven mapping using a tool called sqlmap.
The researchers have stated that configuring the database to block xp_cmdshell executions extends stored procedure. Further, when configured for least-privilege SQL users, BillQuick Web Suite prevents remote code execution via SQL injections.
In practice, Huntress has observed partners using BillQuick Web Suite with the built-in system admin account, which allows full access to the back-end database server, including xp_cmdshell, regardless of configuration restrictions. The researchers have informed BQE Software of the vulnerability issues, and the company is addressing the vulnerabilities actively.