module
SugarCRM unauthenticated Remote Code Execution (RCE)
Disclosed | Created |
---|---|
12/28/2022 | 03/09/2023 |
Disclosed
12/28/2022
Created
03/09/2023
Description
This module exploits CVE-2023-22952, a Remote Code Execution (RCE) vulnerability in SugarCRM 11.0 Enterprise,
Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and
Serve versions prior to 12.0.2.
The vulnerability occurs due to a lack of appropriate validation when uploading a malicious PNG file with
embedded PHP code to the /cache/images/ directory on the web server using the vulnerable endpoint
/index.php?module=EmailTemplates&action=AttachFiles. Once uploaded to the server, depending on server configuration,
the attacker can access the malicious PNG file via HTTP or HTTPS, thereby executing the malicious PHP code and
gaining access to the system.
This vulnerability does not require authentication because there is a missing authentication check in the
loadUser() method in include/MVC/SugarApplication.php. After a failed login, the session does not get
destroyed and hence the attacker can continue to send valid requests to the application.
Because of this, any remote attacker, regardless of authentication, can exploit this vulnerability to gain
access to the underlying operating system as the user that the web services are running as (typically www-data).
Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and
Serve versions prior to 12.0.2.
The vulnerability occurs due to a lack of appropriate validation when uploading a malicious PNG file with
embedded PHP code to the /cache/images/ directory on the web server using the vulnerable endpoint
/index.php?module=EmailTemplates&action=AttachFiles. Once uploaded to the server, depending on server configuration,
the attacker can access the malicious PNG file via HTTP or HTTPS, thereby executing the malicious PHP code and
gaining access to the system.
This vulnerability does not require authentication because there is a missing authentication check in the
loadUser() method in include/MVC/SugarApplication.php. After a failed login, the session does not get
destroyed and hence the attacker can continue to send valid requests to the application.
Because of this, any remote attacker, regardless of authentication, can exploit this vulnerability to gain
access to the underlying operating system as the user that the web services are running as (typically www-data).
Authors
Sw33t.0dayh00die-gr3y
Platform
Linux,PHP,Unix
Architectures
cmd, php, x64, x86
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/multi/http/sugarcrm_webshell_cve_2023_22952 msf /(2) > show actions ...actions... msf /(2) > set ACTION < action-name > msf /(2) > show options ...show and set options... msf /(2) > run

NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.