This template reports on vulnerabilities discovered in Intuit's QuickBooks software installed on Windows hosts. It's also designed to report on the location of QuickBooks components that allow the remote access of centrally stored QuickBooks company files.
- June 9th 2012, version 1, SecurityCenter 4.4
- Required Tools: Nessus
- Download Example - QuickBooks for Windows
- Download Template - QuickBooks for Windows
To use this report template effectively ensure you are performing Nessus credentialed checks on Windows hosts.
The "Vulnerabilities" chapter reports on vulnerabilities found in QuickBooks software installed on Windows. The "Version" chapter reports the version of QuickBooks software installed on Windows using Nessus plugin 58847, "Intuit QuickBooks Installed".
QuickBooks software allows the sharing of QuickBooks company files across a network, see Configure QuickBooks for a multi-user or network environment. For a host to centrally store a company file for QuickBooks software to access remotely it must run the QuickBooks Database Manager Service. The blog post What is the QuickBooks QBDataServiceUser and Do I Need It? is a good source of information about the service and some security related information.
The "Database Manager Service Detection" chapter uses plugin 44401, “Microsoft Windows SMB Service Config Enumeration”, to detect a configured service and plugin 34252, “Microsoft Windows Remote Listeners Enumeration (WMI)” to detect a running service.
The host being used to centrally store company files for sharing may or may not have the QuickBooks software (a.k.a QuickBooks Client) installed. If it does have it installed then it will be reported in the "Versions" chapter as a QuickBooks software installation. The example report lists host qbsrv.itsdept.com as having QuickBooks software installed (QuickBooks Enterprise Solutions: Contractor Edition 12.0) and the Database Manager Service as configured and running.
In the netstat ouput below of host 10.0.0.76 which is hosting a company file we can see host 10.0.0.60 ,which is running QuickBooks software, connected to the Database Manager Service which is listening on port 55348. Another requirement of a host centrally storing a company file for sharing is that it provides access to the company file via a SMB network share for remote hosts with QuickBooks software installed. We can also see 10.0.0.60 connected on port 445 to access a network share.
QuickBooks Enterprise software allows the installation of the Database Manager Service on Linux which will leverage a Samba server to provide the SMB network share access.
The "QODBC Detection (ODBC Driver)" chapter reports on hosts with installations of the QODBC software. An ODBC connection can be configured locally or remotely to access (and modify) company file information on any version of QuickBooks installed on Windows. In the screenshots below Microsoft Query is being used with QODBC software to remotely access a QuickBooks company file (yes! those really are SSN and EIN fields as well as Customer, Employee and Credit Card tables). If you are a QuickBooks licensed user like myself that is of no surprise, but perhaps to somebody responsible for IT Security and various compliance like PCI DSS that is new valuable information worth knowing and adds more reasons to use this report template in conjunction with SecurityCenter and Nessus. (Tracking the location of QuickBooks company file backups and exports might also be worth investigating).
Plugin 20811, "Microsoft Windows Installed Software Enumeration (credentialed check)", is used to detect installations of QODBC.
QODBC allows both unencrypted and encrypted connections to be used over TCP/IP. If your installation of QODBC clients has never been reviewed and/or there is no documentation on configurations it might be time to check on the QODBC configurations. Tenable's Passive Vulnerability Scanner, PVS, will help in reporting and alerting on external (public IP address) and internal (private IP address) connections as well as flagging those connections which are encrypted.
On discovering QODBC and QuickBooks software you may wish to review the Tenable Blog post Finding Sensitive Data as a Consultant with Nessus to expand your Nessus agentless queries looking for unsecured sensitive data. It should include those SMB network shares needed for QuickBooks software company file remote access and also verification of how securely the SMB protocol has been configured between servers and clients.
The remote access to company files described in this post and reported in the template should not be confused with the QuickBooks Remote Access feature which leverages WebEx technology.