-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added module and documentation for SuiteCRM Log File RCE CVE-2020-28328 #15231
Added module and documentation for SuiteCRM Log File RCE CVE-2020-28328 #15231
Conversation
lol. Seems like a regression of the same issue in the same |
Co-authored-by: bcoles <bcoles@gmail.com>
Change Metasploit download link to https Co-authored-by: bcoles <bcoles@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @mcorybillington, thank you for the module! I have a few suggestions, with most being related to checking / validating responses.
Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
Hey @mcorybillington, I added a PR to your branch with a couple of small changes. I went ahead and added those since I missed it in the review. Let me know if those work for you, thanks! |
add cookie jar usage and AutoCheck
Tested against
|
Release NotesNew module |
Hello, this is my first PR, so please go easy on me.
I am submitting a module for an exploit I reported (two, technically) to SuiteCRM. The exploit allows for an administrator to modify system settings and control the name of the log file. The attacker can rename the log file to a PHP file and then poison the file with arbitrary PHP code. This code is sanitized to a degree, so the php code you can execute is limited, hence I only have two payloads added:
linux/x64/meterpreter_reverse_tcp
andcmd/unix/bash_reverse_tcp
This module will cover CVE-2020-28328 as well, however I am still waiting for the current CVE. This was patched in the latest release in April 2021. I requested the CVE ID from the vendor today, and they advised that they have not received it yet from Mitre.
A writeup can be found here:
https://theyhack.me/SuiteCRM-RCE-2/
And a previous writeup/exploit can be found here for the first issue:
https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/
https://www.exploit-db.com/exploits/49001
Verification
List the steps needed to make sure this thing works.
This is a full run through with both modules.
I will be emailing a runthrough of each section as well to msfdev@metaspolit.com.