Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Post-Auth RCE Not Fixed, its now a race condition :) #333

Closed
0x27 opened this issue Aug 5, 2015 · 3 comments
Closed

Post-Auth RCE Not Fixed, its now a race condition :) #333

0x27 opened this issue Aug 5, 2015 · 3 comments

Comments

@0x27
Copy link

0x27 commented Aug 5, 2015

The Post-Auth RCE allegedly "fixed" in Commit b1b3fd6 is not fixed.

The fix simply makes the bug slightly harder to exploit, turning it from a straight-shot file upload bug into a lovely race condition. Also, I bypassed the blacklist again :)

Video Proof below, a PoC will be published along with a full writeup of the vulnerability in due course, and a CVE is being requested from MITRE (or whoever decides to issue them...).
IMAGE ALT TEXT HERE

Suggested fix: Validate images BEFORE writing to disc. Writing them to disc, then checking them, is a bad idea.

Also, you were told on the commit this was a bad idea. Are we going to have to play remote-code-execution whack a mole for another while? Seriously, as a Crown Commercial Services Supplier, your QA process should surely have caught this.

@JimMackin
Copy link
Contributor

@0x27 Thanks for bringing this issue up. Commit 3974fc2 prevents the malicious upload being moved to the tmp_logo_company_upload folder. Any feedback on this fix would be welcome.

@0x27
Copy link
Author

0x27 commented Aug 6, 2015

@JimMackin I'll review it properly (install and test) over the weekend. Will have to validate (test harness using inotify, probably) that it is not being written to disc anywhere and if it is, will have to see if there's another vector for getting it executed.

@willrennie
Copy link
Contributor

Race condition has been resolved in SuiteCRM v7.2.3 and any future releases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants