As part of our efforts to make the open source web application space more secure we scanned SuiteCRM 7.11.4 with our static code analysis tool RIPS and we detected multiple critical vulnerabilities. Among them is a SQL Injection that can be exploited as a normal user (CVE-2019-12598), which can be leveraged into a multi-step PHP Object Injection leading to a Remote Code Execution (CVE-2019-12601) giving an attacker full control of the underlying server. The cherry on top of the cake: an attacker can exploit this vulnerability without any valid login credentials and without direct access to the internal network.
The truncated analysis results are available in our RIPS demo application. Please note that we limited the results to the issues described in this post in order to ensure a fix is available.
Hacking into your Network: Arbitrary Database Write via CSRF
The SuiteCRM web application is vulnerable to a SQL Injection which is present in the WizardNewsletterSave action of the Campaigns module. To exploit this vulnerability, the attacker can make use of a Spear Phishing attack to lure a faithful and benign employee who is logged into the company’s web application into visiting/clicking a malicious and evil website (e.g. http://evilattacker.com). The website will embed an image which is pointing to a specially crafted malicious URL, causing the browser to issue a HTTP request to the following target:
If the browser of the victim - authenticated to the SuiteCRM web application - issues a HTTP request to this link then the following SQL query is executed on the underlying database:
The root cause of this problem originates in the
WizardNewsletterSave.php file of the application logic which is populating the instance of a
SugarBean object from the HTTP request sent by the attacker. As seen in line 70 of the following source code, this is done before saving the
SugarBean to the database.
However, the function
populate_wizard_bean_from_request() allows an attacker to set the object properties of the constructed bean arbitrarily, which is known as Variable Tampering. Such a vulnerability can be observed in line 409 and 410 where user input
$_REQUEST[$key] is assigned to the dynamic
$field property of the object which was built from the attacker controlled parameter name
table_name property of a
SugarBean instance is prone to be written by the attacker because it is directly embedded into a SQL query. The property is returned by the
getTableName() method on line 1965 and spared by further sanitization leading to the SQL Injection.
This feature allows any adversary to inject malicious entries into the database of the server which has critical effects standalone: an attacker can create a secondary administrator account next to removing and inserting arbitrary information. Since a CRM software is usually isolated in the internal network, this vulnerability alone is hardly exploitable. However, in the following section we will see how this SQL Injection can be leveraged into a Remote Code Execution vulnerability easily by chaining together multiple exploits.
Remote Code Execution on the Internal Network Server
The RIPS scanner has detected that database write access to the stored_options column of the inbound_email table can be leveraged into an advanced Multi Step PHP Object Injection vulnerability which leads to a Remote Code Execution. To achieve this goal, an attacker needs to insert a row with a known id (e.g. 313373) into the inbound_email table of the database connected to the SuiteCRM web application containing a base64 encoded version
of a serialized malicious PHP object. The specially crafted PHP object will hijack the
control flow of the underlying application logic to spawn a malicious
shell.php file in the
root directory of SuiteCRM, as soon as the object is deserialized.
By embedding a second image and sending another request to the web application, the payload is read from the database, deserialized and executed. As a result, the attacker can execute code on the freshly hijacked internal network server.
The issue is located in the
getInboundMailerSettings() method where the stored serialized payload is retrieved and deserialized on demand. The issued HTTP request will directly cause the web application to load the options stored under the id (e.g
313373) which have been overwritten previously.
If you want to know more on how to exploit a PHP Object Injection like this into Remote Code Execution read more about it in our blog post.
Isolating a vulnerable web application into your internal network does not guard it from external attackers, in fact, it can be used as an entry gateway for any attacker through a sophisticated combination of Spear Phishing, Cross Site Request Forgery and an attacking technique which suites the vulnerable web application. At the end of the day, any web application deployed in your network should implement sufficient security, either assured through tedious manual security testing or with time efficient automated security tools. If you are running SuiteCRM please update as soon as possible to the latest release of SuiteCRM.
|17/May/19||First contact with vendor|
|17/May/19||Response of vendor|
|20/May/19||Vendor informs about release plans for fix|
|03/June/19||Fixed with version 7.11.5 and SuiteCRM LTS 7.10.17|