{"sourceData": "\n SugarCRM 5.2.0e Remote Code Execution\r\n\r\n Name Remote Code Execution in SugarCRM\r\n Systems Affected Sugar CRM 5.2.0e and possibly earlier versions\r\n Severity High\r\n Impact (CVSSv2) High 8/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P)\r\n Vendor http://www.sugarcrm.com\r\n Advisory http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt\r\n Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)\r\n Francesco "ascii" Ongaro (ascii AT ush DOT it)\r\n Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)\r\n Date 20090613\r\n\r\nI. BACKGROUND\r\n\r\n>From the SugarCRM web site: "Sugar Express is designed for individuals\r\nand small companies. Core CRM features help employees get on the same\r\npage while more complex functionality is stripped away. Sugar Express is\r\nideal for providing a single view of the customer from the initial\r\nmarketing campaign through the sales cycle and on to customer support.\r\nWith Sugar Express, companies have a single system of truth for managing\r\ncustomer interactions.".\r\n\r\nII. DESCRIPTION\r\n\r\nA Remote Code Execution Vulnerability exists in SugarCRM software.\r\n\r\nIII. ANALYSIS\r\n\r\nSummary:\r\n\r\nA Remote Code Execution issue has been found in SugarCRM version\r\n5.2.0e. In order to exploit this vulnerability an account on the system\r\nis required.\r\n\r\nThe vulnerability resides in the "Compose Email" section. The software\r\npermits sending email with attachments (if not disabled by the\r\nadministrator). When the name of the file is specified, a validation\r\nroutine is called:\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nfunction safeAttachmentName($filename) {\r\n\tglobal $sugar_config;\r\n\t$badExtension = false;\r\n\t//get position of last "." in file name\r\n\t$file_ext_beg = strrpos($filename, ".");\r\n\t$file_ext = "";\r\n\t//get file extension\r\n\tif($file_ext_beg > 0) {\r\n\t\t$file_ext = substr($filename, $file_ext_beg + 1);\r\n\t}\r\n\t//check to see if this is a file with extension located in "badext"\r\n\tforeach($sugar_config['upload_badext'] as $badExt) {\r\n\t if(strtolower($file_ext) == strtolower($badExt)) {\r\n\t //if found, then append with .txt and break out of lookup\r\n\t $filename = $filename . ".txt";\r\n\t $badExtension = true;\r\n\t break; // no need to look for more\r\n\t } // if\r\n\t} // foreach\r\n\treturn $badExtension;\r\n}\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nThis routine checks if the extension of the filename is blacklisted,\r\nif so the ".txt" extension is appended to the filename. However there is\r\na coding error: the function assumes that the filename (extension\r\nexcluded) is at least one char long, this assumption is derived from the\r\nstatement:\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nif($file_ext_beg > 0)\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nOf course this is a bad assumption, if we set the whole filename to\r\n".php" than the check is skipped and a void extension is assumed.\r\nBecause void extensions are not in the blacklist, no futher extension\r\nis added to the filename. After this check a file is created on the\r\nfilesystem in the form "<id><filename>".\r\n\r\nWhere "id" is an alphanumeric string. With the trick illustrated we are\r\nable to create a file with ".php" extension. To do this upload a new\r\nfile attachment and set the filename to ".php".\r\n\r\nAfter this the attacker has to find the name of the file that was\r\nuploaded in the attachment list files. To obtaint the real filename\r\nlook in the HTML response for a string like:\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\n<input value="6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php" name="email_atta\r\nchment0" id="email_attachment10" type="hidden">\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nThe real filename in this case is "6e25aba0-9dc4-2a57-8bae-4a1317b35d47.\r\nphp". Now the attacker has to find the directory where the file resides.\r\n\r\nAgain searching the HTML page for the attribute "assigned_user_id"\r\nreveals the needed information:\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\n<a href="index.php?module=Emails&action=ListView&assigned_user_id=abf7c7\r\n7b-2f71-8071-63ba-4a131068e9a2&type=archived">\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nAt this point the attacker has all the informations to invoke the\r\nuploaded file.\r\n\r\nFilename: 6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php\r\nAssigned user id: abf7c77b-2f71-8071-63ba-4a131068e9a2\r\n\r\nTo directly request it issue a request to:\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nhttp://www.example.com/cache/modules/Emails/abf7c77b-2f71-8071-63ba-4a13\r\n1068e9a2/6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nAs final note: if the user is "administrator", "assigned_user_id" is\r\nalways "1".\r\n\r\nIV. DETECTION\r\n\r\nSugarCRM 5.2.0e and possibly earlier versions are vulnerable.\r\n\r\nV. WORKAROUND\r\n\r\nUpgrade to latest version 5.2.0f\r\n\r\nVI. VENDOR RESPONSE\r\n\r\n"We have fixed the issue and will be shipping the patch on June 12th.\r\nWe will be doing a full pass of quality assurance in this area to\r\nensure that no other issues crop up around file uploads.\r\nThe fix involves modifying the code that handles uploads for email\r\nattachments to save the files using just a GUID rather than the original\r\nfile name. This is similar to how uploads are handled else where in the\r\napplication and should prevent the code from being executable on the\r\nserver side."\r\n\r\nVII. CVE INFORMATION\r\n\r\nNo CVE at this time.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n20090519 Bug discovered\r\n20090528 First vendor contact\r\n20090528 Vendor Response\r\n20090530 Vendor Confirm the vulnerability\r\n20090602 Vendor propose a possible fix and path release\r\n20090612 Vendor released SugarCRM 5.2.0f (Vulnerability fixed)\r\n20090613 Advisory released\r\n\r\nIX. CREDIT\r\n\r\nAntonio "s4tan" Parata, Francesco "ascii" Ongaro and Giovanni\r\n"evilaliv3" Pellerano are credited with the discovery of this\r\nvulnerability.\r\n\r\nAntonio "s4tan" Parata\r\nweb site: http://www.ush.it/\r\nmail: s4tan AT ush DOT it\r\n\r\nFrancesco "ascii" Ongaro\r\nweb site: http://www.ush.it/\r\nmail: ascii AT ush DOT it\r\n\r\nGiovanni "evilaliv3" Pellerano\r\nweb site: http://www.ush.it/, http://www.evilaliv3.org/\r\nmail: evilaliv3 AT ush DOT it\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright (c) 2009 Francesco "ascii" Ongaro\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without mine express\r\nwritten consent. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically,\r\nplease email me for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\nThere are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct, indirect,\r\nor consequential loss or damage arising from use of, or reliance on,\r\nthis information.\n ", "status": "poc", "description": "No description provided by source.", "sourceHref": "https://www.seebug.org/vuldb/ssvid-11635", "reporter": "Root", "href": "https://www.seebug.org/vuldb/ssvid-11635", "type": "seebug", "viewCount": 5, "references": [], "lastseen": "2017-11-19T19:03:24", "published": "2009-06-17T00:00:00", "cvelist": [], "id": "SSV:11635", "enchantments_done": [], "modified": "2009-06-17T00:00:00", "title": "SugarCRM 5.2.0e Remote Code Execution Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.3}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645281284, "score": 1659785532, "epss": 1678851499}}
SugarCRM 5.2.0e Remote Code Execution Vulnerability