ush.it - a beautiful place

Vtiger CRM 5.0.4 Multiple Vulnerabilities

August 18, 2009 at 3:55 pm - Filed under Hacks, Language EN - 1780 words, reading time ~5 minutes - Permalink - Comments

In our publication PHP filesystem attack vectors - Take Two we highlighted some issues that can occur in applications written in PHP that make use of filesystem operations. This advisory for the Vtiger CRM, version 5.0.4, application is an example on how such generic issues can impact the security of a real world application.

Vtiger CRM 5.0.4 Multiple Vulnerabilities

 Name              Multiple Vulnerabilities in Vtiger CRM
 Systems Affected  Vtiger CRM 5.0.4 and possibly earlier versions
 Severity          Medium
 Impact (CVSSv2)   Medium 6/10, vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P)
 Vendor            http://www.vtigercrm.com
 Advisory          http://www_ush_it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt
 Authors           Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
                   Antonio "s4tan" Parata (s4tan AT ush DOT it)
                   Francesco "ascii" Ongaro (ascii AT ush DOT it)
 Date              20090818

I. BACKGROUND

Vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal
for small and medium businesses, with low-cost product support available
to production users that need reliable support. 

II. DESCRIPTION

Multiple Vulnerabilities exist in Vtiger CRM software.

Some of the technical issues highlighted in this advisory are part of a
wider publication, "PHP filesystem attack vectors - Take Two", and are
generic to applications written in the PHP language:
http://www_ush_it/2009/07/26/php-filesystem-attack-vectors-take-two/

III. ANALYSIS

Summary:

 A) Remote Code Execution (RCE) Vulnerability
 B) Cross Site Request Forgery (CSRF) Vulnerabilities
 C) Local File Inclusion (LFI) Vulnerability
 D) Cross Side Scripting (XSS) Vulnerability

A) Remote Code Execution (Windows Only) Vulnerability

A Remote Code Execution vulnerability exists in Vtiger CRM version
5.0.4. In order to exploit this vulnerability an account on the CRM
system is required.

The vulnerability resides in the "Compose Mail" section. The software
permits sending email with attachments and offers a draft save feature.
When this feature is requested and an attachment is specified, the
"saveForwardAttachments" validation routine is called.

This routine involves some security checks to handle uploaded files, it
does blacklist extension checking and if a bad extension is detected the
txt extension is appended to the file-name.

The following is the specific section:

--8< --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$ext_pos = strrpos($binFile, ".");
$ext = substr($binFile, $ext_pos + 1);
if (in_array(strtolower($ext), $upload_badext))
{
    $binFile .= ".txt";
}

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

It's known that in some circostances (for example when the PHP handler
is configured using AddType/Action/AddHandler globally, eg. not inside
an Apache's Files/FilesMatch directive) blacklisting is not enough as
files in the form of "filename.php.foo" will be mapped back to PHP
anyway (since foo is not explicitly defined in the MIME map and Apache
will try to guess the filetype by its own).

Beside this known issue we want to point out a less known exploitation
methodology that works on Windows hosts.

First the attacker has to find the name of the file that was uploaded
in the attachment list files. Vtiger CRM saves files in a path like:

storage/2009/July/week1/

And prepends an incremental unique number to the filename like:

133_foo.php

So, a hypothetical attacker has only to guess the prepended number. This
can be done by bruteforcing or by requesting the url:

http://127.0.0.1/vtigercrm/index.php?module=Emails&action=ListView

At this page Vtiger CRM shows the list of all the emails sent and saved,
and for every email it allows to download the attachment showing its
unique id in the link.

http://127.0.0.1/vtigercrm/index.php?module=uploads&action=downloadfile&
return_module=Emails&fileid=133&entityid=136

So, finally, the link to exploit this vulnerability should be something like:

http://127.0.0.1/vtigercrm/storage/2009/July/week1/133.foo.php

While Vtiger CRM blocks known dangerous extensions (like .php) making
direct exploitation impossible it has to be highlighted that this simple
estension check is totally improper since it does not consider specific
filenames and behaviours of the operating systems where Vtiger CRM is
deployed.

For example on Windows OS is possible to exploit this vulnerability by
requesting an upload with the filename "foo.php.".

This string will bypass the check and since Windows does not permit
filenames ending with a dot, modifying it in a transparent way, the final
name of the file will simply be "foo.php.".

A similar result can be obtained on GNU/Linux by requesting an upload
with the filename "foo.php/."

Note that the integrated webmail feature that allows a user to write
emails and eventually save a draft of them is authenticated (a valid
user on the system is required in order to exploit this vulnerability).

B) Multiple CSRF (Cross Site Request Forgery) Vulnerabilites

Multiple CSRF vulnerabilities exist in vtiger crm version 5.0.4.
Here's a demonstrative one (an Admin user has to follow this link): 

http://127.0.0.1/vtigercrm/index.php?module=Rss&action=Save&rssurl=http:
//www_ush_it/feed

The feed is added to the news feed system visible by the crm users.

Other and more dangerous CSRF vulnerabilities exist.

C) Local File Inclusion

Some LFI vulnerabilities exist in Vtiger CRM version 5.0.4.

Some examples:

1) http://127.0.0.1/vtigercrm/graph.php?module=/../[..]/../etc/passwd%00
2) http://127.0.0.1/vtigercrm/index.php?module=Accounts&action=Import&pa
renttab=Support&step=/../[..]/../etc/passwd%00

Add as many "../" instead of the "[..]" placeholder as needed.

The first one does not need a valid user account, the second one is
authenticated.

Other modules are vulnerable to LFI, for example those who include
"Import/index.php" where the vulnerability resides:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

grep "Import/index.php" * -R

modules/Accounts/Import.php: include('modules/Import/index.php');
modules/Contacts/Import.php: include('modules/Import/index.php');
modules/HelpDesk/Import.php: include('modules/Import/index.php');
modules/Leads/Import.php: include('modules/Import/index.php');
modules/Potentials/Import.php: include('modules/Import/index.php');
modules/Products/Import.php: include('modules/Import/index.php');
modules/Vendors/Import.php: include('modules/Import/index.php');

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

A third LFI vulnerability has been found in "CommonAjax.php", both
"module" and "file" parameters are vulnerable.

http://127.0.0.1/vtigercrm/include/Ajax/CommonAjax.php?module=Email&file=bar

Will lead to a call like "require_once(modules/Email/bar.php)".

If direct access to "CommonAjax.php" has been forbidden other entry
points can be used:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

grep "Ajax/CommonAjax.php" * -R
modules/Campaigns/CampaignsAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/SalesOrder/SalesOrderAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/System/SystemAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/Products/ProductsAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/uploads/uploadsAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/Dashboard/DashboardAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/Potentials/PotentialsAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/Notes/NotesAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/Faq/FaqAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/Quotes/QuotesAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/Utilities/UtilitiesAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/Calendar/ActivityAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/Calendar/CalendarAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/PurchaseOrder/PurchaseOrderAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/HelpDesk/HelpDeskAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/Invoice/InvoiceAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/Accounts/AccountsAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/Reports/ReportsAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/Contacts/ContactsAjax.php: require_once('include/Ajax/CommonAjax.php');
modules/Portal/PortalAjax.php: require_once('include/Ajax/CommonAjax.php');

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

To use one of these files as gateway for the previous vulnerability
issue a request like the following:

http://127.0.0.1/vtigercrm/?module=Invoice&action=InvoiceAjax&file=bar

Where "Invoice" and "InvoiceAjax" are values from the presented list.

This LFI vulnerability is not exploitable if you have applied a separate
patch available at the following url:

https://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.0.4%20
Latest%20Stable/VtigerCRM504_Security_Patch.zip

We question ourself about the usefulness of such patch without a proper
release. Probably little or no Vtiger CRM customers have applied such
patch.

D) Cross Side Scripting vulnerabilites

Some XSS vulnerabilities exist in Vtiger CRM version 5.0.4.

For example:

http://127.0.0.1/vtigercrm/phprint.php?module=Activities&action=--%3E%3C
script%3Ealert(%22ush.it%22);%3C/script%3E%3C!--

Or:

http://127.0.0.1/vtigercrm/index.php?action=UnifiedSearch&module=Home&pa
renttab=My+Home+Page&query_string=%27%22%3E%3Cscript%3Ealert(123)%3C/scr
ipt%3E

IV. DETECTION

Vtiger CRM 5.0.4 and possibly earlier versions are vulnerable.

V. WORKAROUND

Upgrade to latest version 5.1.0.

VI. VENDOR RESPONSE

"Our team reviewed the issues reported against current development build
(version 5.1.0) and seem to have
addressed many of them already. In this version we have made several
improvements to performance and
closed loop holes reported on 5.0.4 with lot more features.

Please let me know if you need further clarification.
Thank you for your support once again."

VII. CVE INFORMATION

No CVE at this time.

VIII. DISCLOSURE TIMELINE

20090620 Bug discovered
20090706 First vendor contact
20090706 Vendor Response
20090706 Vendor Confirm the vulnerability
20090713 Vendor propose a possible fix and path release
20090722 Vendor released VtigerCRM 5.1.0 (Vulnerability fixed)
20090818 Advisory released

IX. CREDIT

Giovanni "evilaliv3" Pellerano, Antonio "s4tan" Parata and Francesco
"ascii" Ongaro are credited with the discovery of this vulnerability.

Giovanni "evilaliv3" Pellerano
web site: http://www_ush_it/, http://www.evilaliv3.org/
mail: evilaliv3 AT ush DOT it

Antonio "s4tan" Parata web site: http://www_ush_it/ mail: s4tan AT ush DOT it Francesco "ascii" Ongaro web site: http://www_ush_it/ mail: ascii AT ush DOT it X. LEGAL NOTICES Copyright (c) 2009 Francesco "ascii" Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

THP USH Wisec DigitalBullets