Suite CRM v7.14.2 - RCE via LFI
Summary
| Name | Suite CRM v7.14.2 - RCE via LFI |
| Code name | |
| Product | Suite CRM |
| Affected versions | Version 7.14.2 |
| State | Public |
| Release date | 2024-02-19 |
Vulnerability
| Kind | Local file inclusion (LFI) |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| CVSSv3.1 Base Score | 9.9 |
| Exploit available | No |
| CVE ID(s) |
Description
Suite CRM version 7.14.2 allows including local php files. This is possible because the application is vulnerable to LFI.
Vulnerability
A local file inclusion (LFI) vulnerability has been identified in Suite CRM that, under certain conditions, could allow an attacker to obtain remote command execution. The attacker must have minimum privileges.
Vulnerable path
Below I will show you the vulnerable path in code, from the source to the sink.
// Index.php use App\Kernel; use Symfony\Component\ErrorHandler\Debug; use Symfony\Component\HttpFoundation\Request; [...] $legacyRoute = $kernel->getLegacyRoute($request);
if (!empty($legacyRoute)) {
$path = './legacy';
if (!empty($legacyRoute['dir'])) {
$path .= '/' . $legacyRoute['dir'];
}
chdir($path);
$access = $legacyRoute['access'] ?? false;
if ($access === false) {
http_response_code(404);
exit;
}
if (file_exists($legacyRoute['file'])) {
/* @noinspection PhpIncludeInspection */
require $legacyRoute['file']; // Vulnerability Here
} else {
http_response_code(404);
exit;
}
}
[...]
// Kernel.php public function getLegacyRoute(Request $request): array { $this->initializeBundles(); $this->initializeContainer(); if ($this->container->has('legacy.route.handler')) { return $this->container->get('legacy.route.handler')->getLegacyRoute($request);
}
return [];
}
// LegacyRouteHandler.php public function getLegacyRoute(Request $request): array { [...] if ($this->isLegacyNonViewActionRoute($request)) { return $this->legacyNonViewActionRedirectHandler->getIncludeFile($request);
}
[...]
}
// LegacyRedirectHandler.php public function getIncludeFile(Request $request): array { $baseUrl = $request->getPathInfo(); // Anything after the index.php file $baseUrl = substr($baseUrl, 1); if (strpos($baseUrl, '.php') === false) { $baseUrl .= 'index.php'; } return [ 'dir' => '', 'file' => $baseUrl, // Arbitrary path (with custom wrapper) 'access' => true
];
}
Evidence of exploitation
Create a product and upload a malicious image
Include the image from the previous step with the LFI to achieve RCE
Our security policy
We have reserved the ID CVE-2024-1644 to refer to this issue from now on.
System Information
-
Version: Suite CRM 7.14.2
-
Operating System: MacOS
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
References
Vendor page https://github.com/salesagility/SuiteCRM/
Timeline
2024-01-05
Vulnerability discovered.
2024-01-05
Vendor contacted.
2024-01-10
Vendor replied acknowledging the report.
2024-01-10
Vendor Confirmed the vulnerability.
2024-02-19
Public Disclosure.
