what you don't know can hurt you

SugarCRM 5.2.0e Code Execution

SugarCRM 5.2.0e Code Execution
Posted Jun 15, 2009
Authored by Francesco Ongaro, Antonio Parata, Giovanni Pellerano | Site ush.it

SugarCRM versions 5.2.0e and below suffer from a remote code execution vulnerability.

tags | exploit, remote, code execution
MD5 | f81ce65d75a4b29de7ebbf23b6cb8179

SugarCRM 5.2.0e Code Execution

Change Mirror Download
SugarCRM 5.2.0e Remote Code Execution

Name Remote Code Execution in SugarCRM
Systems Affected Sugar CRM 5.2.0e and possibly earlier versions
Severity High
Impact (CVSSv2) High 8/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P)
Vendor http://www.sugarcrm.com
Advisory http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt
Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
Date 20090613

I. BACKGROUND

>From the SugarCRM web site: "Sugar Express is designed for individuals
and small companies. Core CRM features help employees get on the same
page while more complex functionality is stripped away. Sugar Express is
ideal for providing a single view of the customer from the initial
marketing campaign through the sales cycle and on to customer support.
With Sugar Express, companies have a single system of truth for managing
customer interactions.".

II. DESCRIPTION

A Remote Code Execution Vulnerability exists in SugarCRM software.

III. ANALYSIS

Summary:

A Remote Code Execution issue has been found in SugarCRM version
5.2.0e. In order to exploit this vulnerability an account on the system
is required.

The vulnerability resides in the "Compose Email" section. The software
permits sending email with attachments (if not disabled by the
administrator). When the name of the file is specified, a validation
routine is called:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

function safeAttachmentName($filename) {
global $sugar_config;
$badExtension = false;
//get position of last "." in file name
$file_ext_beg = strrpos($filename, ".");
$file_ext = "";
//get file extension
if($file_ext_beg > 0) {
$file_ext = substr($filename, $file_ext_beg + 1);
}
//check to see if this is a file with extension located in "badext"
foreach($sugar_config['upload_badext'] as $badExt) {
if(strtolower($file_ext) == strtolower($badExt)) {
//if found, then append with .txt and break out of lookup
$filename = $filename . ".txt";
$badExtension = true;
break; // no need to look for more
} // if
} // foreach
return $badExtension;
}

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

This routine checks if the extension of the filename is blacklisted,
if so the ".txt" extension is appended to the filename. However there is
a coding error: the function assumes that the filename (extension
excluded) is at least one char long, this assumption is derived from the
statement:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

if($file_ext_beg > 0)

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Of course this is a bad assumption, if we set the whole filename to
".php" than the check is skipped and a void extension is assumed.
Because void extensions are not in the blacklist, no futher extension
is added to the filename. After this check a file is created on the
filesystem in the form "<id><filename>".

Where "id" is an alphanumeric string. With the trick illustrated we are
able to create a file with ".php" extension. To do this upload a new
file attachment and set the filename to ".php".

After this the attacker has to find the name of the file that was
uploaded in the attachment list files. To obtaint the real filename
look in the HTML response for a string like:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

<input value="6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php" name="email_atta
chment0" id="email_attachment10" type="hidden">

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

The real filename in this case is "6e25aba0-9dc4-2a57-8bae-4a1317b35d47.
php". Now the attacker has to find the directory where the file resides.

Again searching the HTML page for the attribute "assigned_user_id"
reveals the needed information:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

<a href="index.php?module=Emails&action=ListView&assigned_user_id=abf7c7
7b-2f71-8071-63ba-4a131068e9a2&type=archived">

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

At this point the attacker has all the informations to invoke the
uploaded file.

Filename: 6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php
Assigned user id: abf7c77b-2f71-8071-63ba-4a131068e9a2

To directly request it issue a request to:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

http://www.example.com/cache/modules/Emails/abf7c77b-2f71-8071-63ba-4a13
1068e9a2/6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

As final note: if the user is "administrator", "assigned_user_id" is
always "1".

IV. DETECTION

SugarCRM 5.2.0e and possibly earlier versions are vulnerable.

V. WORKAROUND

Upgrade to latest version 5.2.0f

VI. VENDOR RESPONSE

"We have fixed the issue and will be shipping the patch on June 12th.
We will be doing a full pass of quality assurance in this area to
ensure that no other issues crop up around file uploads.
The fix involves modifying the code that handles uploads for email
attachments to save the files using just a GUID rather than the original
file name. This is similar to how uploads are handled else where in the
application and should prevent the code from being executable on the
server side."

VII. CVE INFORMATION

No CVE at this time.

VIII. DISCLOSURE TIMELINE

20090519 Bug discovered
20090528 First vendor contact
20090528 Vendor Response
20090530 Vendor Confirm the vulnerability
20090602 Vendor propose a possible fix and path release
20090612 Vendor released SugarCRM 5.2.0f (Vulnerability fixed)
20090613 Advisory released

IX. CREDIT

Antonio "s4tan" Parata, Francesco "ascii" Ongaro and Giovanni
"evilaliv3" Pellerano are credited with the discovery of this
vulnerability.

Antonio "s4tan" Parata
web site: http://www.ush.it/
mail: s4tan AT ush DOT it

Francesco "ascii" Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it

Giovanni "evilaliv3" Pellerano
web site: http://www.ush.it/, http://www.evilaliv3.org/
mail: evilaliv3 AT ush DOT it

X. LEGAL NOTICES

Copyright (c) 2009 Francesco "ascii" Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close