CVE-2021-42840 This one will be a bit short, since severity/impact/video/etc is all identical to my post on the previous SuiteCRM RCE.
CVE-2020-28328 SuiteCRM RCE
I found another vulnerability during remediation testing, and that writeup can be found here.
This was patched in version 7.11.17 of SuiteCRM.
I don’t fully agree with this rating as the exploit does require administrative access which would change PR:L to PR:H, adjusting the final score from an 8.8 to a 7.2.
I would rate it as: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
SuiteCRM Version 7.11.15
Cross-Site Scripting (XSS)
The stored Cross-Site Scripting exists in the ‘Create Documents’ file upload. A low privileged user is able to upload a file with any contents. The user can then examine the link provided to download this document and ascertain the file’s location on the filesystem by locating the
Remote Code Execution
After discovering that I could become the admin through session hijacking via the Cross-Site Scripting, I then discovered that I could control the system properties under ‘Admin → System Settings’, namely the log file property. Log file extensions were pretty well blocked, but I was able to use BurpSuite to update the ‘Log File Name’ value to be any arbitrary value, including .php extensions. I did this by submitting a request without changing anything and capturing the POST request that actually updates the values. I changed the filename via the
logger_file_name parameter to
shell.php and simply made the ‘Extension’ field blank. That provided a php file that I could access in browser at the webroot, but I needed some php code insidethe file to execute.
Next, I examined the output in the file and noticed that I could control input into the file via user properties if I updated a user (such as the user’s first or last name), if the logging was set to info (which I believe was default…). So, I captured a request in burp and inserted some php code
<?php $id =`id`; echo $id; ?> in the
last_name form field. This resulted in the output of the
id command on Linux in the context of the web server user,
www-data. The only characters that I could tell were escaped based on the log file are single quotes, double quotes, and back slashes. You can verify this by
tail‘ing the sql log file on the backend.
Chaining the two for Cross-Site Request Forgery (One click -> shell)
Ensure you have
AllowOveride All set in Apache. nginx does not have this setting and I did not test it on nginx.
Remote Code Execution
Update to the latest release of SuiteCRM, or at least version 7.11.17.
This is the specific fix. Commit 1618af16eaa494c4551bac961e5ac8fc3d87ab8c
Reporting to SuiteCRM
SuiteCRM was very responsive throughout the reporting process. They acknowledged the RCE, which was patched. The XSS was the result of a web server configuration so they did not acknowlede it as a vulnerability. They did, however, note that they would be updating the documentation in light of this.
06 AUG 2020 -> Both issues reported to email@example.com
07 AUG 2020 <- SuiteCRM confirms receipt of report and raises issue with internal security team
21 AUG 2020 -> I contacted firstname.lastname@example.org for a follow up
25 AUG 2020 <- SuiteCRM replies regarding web server config/XSS
26 AUG 2020 -> I reply to say that the suggestion of
AllowOveride All mitigates XSS
16 SEP 2020 -> I contacted email@example.com for a follow up
17 SEP 2020 <- SuiteCRM replies to confirm the issue as a partial issue
29 OCT 2020 Update released
03 NOV 2020 -> I contact firstname.lastname@example.org to ensure nothing else is needed on their end before releasing writeup
05 NOV 2020 <- SuiteCRM replies
Now we have released a patch for this issue and it is in the pubic domain, there is no problem with you doing a blog post on the vulnerabilities from our perspective.
05 NOV 2020 -> CVE requested by me
06 NOV 2020 <- CVE-2020-28328 issued
Thanks to SuiteCRM!
They were very easy to work with and I definitely plan to continue searching for and reporting vulnerabilities in this software!
Path traversal in File Upload leads to Remote Code Execution in Chamilo LMS Overview It’s been a bit since I spent some time looking for a web vuln… And this...
tldr/oneliner ruby -e '"".class.ancestors.system("cat /etc/passwd")' Why? So I was doing a bit of reading on SSTI, specifically that of Jinja/python which...
Remediation testing I found another vulnerability during remediation testing, and that writeup can be found here.
TL;DR Just go to the Demo Or, just go to the Demo Round 2 for reverse tunneling Accessing Resources Behind Multiple Resources At some point, you may run into...
How to get a Shell on your Router (hopefully) Vulnerability hunting is hard, and it’s even harder if you don’t have access to the source. Hardware devices ma...