MODULE

SugarCRM unauthenticated Remote Code Execution (RCE)

Try Surface Command Get a continuous 360° view of your attack surface
Back to Search

SugarCRM unauthenticated Remote Code Execution (RCE)

Disclosed
12/28/2022
Created
03/09/2023

Description

This module exploits CVE-2023-22952, a Remote Code Execution (RCE) vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2. The vulnerability occurs due to a lack of appropriate validation when uploading a malicious PNG file with embedded PHP code to the /cache/images/ directory on the web server using the vulnerable endpoint /index.php?module=EmailTemplates&action=AttachFiles. Once uploaded to the server, depending on server configuration, the attacker can access the malicious PNG file via HTTP or HTTPS, thereby executing the malicious PHP code and gaining access to the system. This vulnerability does not require authentication because there is a missing authentication check in the loadUser() method in include/MVC/SugarApplication.php. After a failed login, the session does not get destroyed and hence the attacker can continue to send valid requests to the application. Because of this, any remote attacker, regardless of authentication, can exploit this vulnerability to gain access to the underlying operating system as the user that the web services are running as (typically www-data).

Author(s)

  • Sw33t.0day
  • h00die-gr3y <h00die.gr3y@gmail.com>

Platform

Linux,PHP,Unix

Architectures

cmd, php, x64, x86

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/http/sugarcrm_webshell_cve_2023_22952
msf exploit(sugarcrm_webshell_cve_2023_22952) > show targets
    ...targets...
msf exploit(sugarcrm_webshell_cve_2023_22952) > set TARGET < target-id >
msf exploit(sugarcrm_webshell_cve_2023_22952) > show options
    ...show and set options...
msf exploit(sugarcrm_webshell_cve_2023_22952) > exploit

Metasploit

Penetration testing software for offensive security teams.
Key Features
Free Metasploit Pro Trial View All Features

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;