Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu,  6 Aug 2015 16:23:19 -0400 (EDT)
From: cve-assign@...re.org
To: darren.martyn@...hosresearch.co.uk
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: SuiteCRM Post-Auth Race Condition Shell Upload Remote Code Execution.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I am requesting a CVE to be issued for the SuiteCRM product. There
> exists a race condition in the image upload verification component which
> leads to a race condition wherein an uploaded piece of PHP code exists
> on disc temporarily before being deleted, which can be leveraged to gain
> code execution. This vulnerability was introduced in version 7.2.2, as a
> patch to fix a prior code execution issue found in 7.2.1.
> 
> Github issue: https://github.com/salesagility/SuiteCRM/issues/333
> https://github.com/salesagility/SuiteCRM/commit/b1b3fd61c7697ad2073cd253d31c9462929e7bb5

> https://github.com/XiphosResearch/exploits/tree/master/suiteshell
> 
> SuiteCRM suffers a post-authentication shell upload vulnerability in
> its "Upload Company Logo" functionality, wherin it uses a blacklist in
> an attempt to prevent the upload of executable code. Furthermore, its
> "check for valid image" test leaves uploaded files in a tempdir that
> is web accessible. It is possible to bypass the blacklist to upload
> executable PHP code with the "phtml" extension to this temporary
> directory and thus gain code execution under the context of the
> webserver user

Use CVE-2015-5946 for the original incomplete blacklist vulnerability
in which an authenticated attacker could, at any time, upload an
executable file (such as a phtml file) to a location from which the
web server serves files.

The blacklist was:

        'php', 'php3', 'php4', 'php5', 'pl', 'cgi', 'py',
        'asp', 'cfm', 'js', 'vbs', 'html', 'htm' 


Use CVE-2015-5947 for the other original issue in which the:

  if(!verify_uploaded_image

code block does not attempt to restrict access after an "unverified"
file is detected. CVE-2015-5946 and CVE-2015-5947 seem to be
independently relevant, although possibly that depends on the "Found
{$m[0]} in $path, not allowing upload" code.


> The Post-Auth RCE allegedly "fixed" in Commit b1b3fd6 is not fixed.
> 
> The fix simply makes the bug slightly harder to exploit, turning it
> from a straight-shot file upload bug into a lovely race condition.
> 
> Do note, this fix could lead to the file being there for a short
> period of time leading to a race condition wherin the attacker simply
> has to beat the unlink to the punch and spawn a reverse shell/drop
> further malicious files/whatever.

Use CVE-2015-5948 for the race condition that exists because of the
incomplete fix for CVE-2015-5947.


> vulnerability in
> its "Upload Company Logo" functionality, wherin it uses a blacklist in
> an attempt to prevent the upload of executable code.

There is no CVE ID specifically for the concept of using blacklisting
rather than whitelisting. In practice, a large blacklist can be
constructed that results in a negligible chance that an allowed file
would be executable on a customer system with a realistic
configuration. This may be considered an unrecommended or overly risky
design, but the issue is not included in CVE.

> its
> "check for valid image" test leaves uploaded files in a tempdir that
> is web accessible.

There is no CVE ID specifically for the concept of using a temporary
directory that is web accessible. The same directory could be used,
without the race condition, in a number of ways -- possibly including
renaming files before initial storage, or some type of access control
for the directory. A web-accessible temporary directory is sometimes
unavoidable if the goal is to support installation in the widest
possible set of web-hosting environments.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJVw8GqAAoJEKllVAevmvmsIMoH/ibuwat8qEV1KMrGg/p5E3H8
uZNJnUWTqfkasLAT2UY/QHtmb1NAwBRAPHH39ex0dM2i2Kja4SkqSEGBO9fdGYfI
Li6Bgc5EuwD5v4Al89IJMe4paiOsRtXyT/AKcVFtKIqNkCvTQs60p0b7CrQVQmzC
3rOOch7xFm8qMV3Dwda0+DPtjFANTqdHcUpnmRYPtZORk3YGgIXhT1gA/XeHbBjH
/lmIcK98SLOr4WHHPAgRpZ6HRmclQr0lvQQqx96dxZEZwtNoEcG/ru8piEstej7c
nHU2eIddiuLo/ClSazb+ZBkBkFtXcynkJjosnYgMOCY47sUK6igwZvLTV2HbgVQ=
=fz7X
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.