STIGQter Local Code Execution Vulnerability via Malicious .stigqter File

A local code execution vulnerability has been identified in STIGQter versions 0.1.2 prior to 1.2.7. This vulnerability allows an attacker to execute code with the privileges of the user running STIGQter. Exploitation requires user interaction, as the victim must open a crafted .stigqter file and manually initiate the 'Export HTML' action. The issue arises because STIGQter writes per-STIG HTML files using filenames extracted directly from the SQLite database of the loaded .stigqter project file, without proper validation. This flaw enables the injection of attacker-controlled content into files saved at arbitrary locations, including paths that trigger the execution of the injected code via systemd.

Impact

Exploitation of this vulnerability leads to local code execution as the user who opened the malicious .stigqter file, with persistence through systemd user units that are automatically executed under certain conditions.

Reproduction

To reproduce this vulnerability, first create a .stigqter file containing absolute paths pointing to systemd user unit files, along with a crafted HTML header that includes executable commands. Once the file is prepared, open it in STIGQter and select the 'Export HTML' option, choosing a directory for the output. After the export, the injected commands will be executed the next time systemd processes the user units.

Remediation

Users can upgrade to STIGQter version 1.2.7, where this vulnerability has been fixed. Instructions for downloading the latest version are available on the STIGQter GitHub page.