Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 Jan 2016 12:03:56 +0100
From: Benjamin Daniel Mussler <sec@...fl7.de>
To: oss-security@...ts.openwall.com
CC: cve-assign@...re.org
Subject: CVE Request: Vtiger CRM 6.4 Authenticated Remote Code Execution


Please assign a CVE. Thanks.


Vtiger CRM 6.4 Authenticated Remote Code Execution

1. Summary
2. Vulnerability Details
3. References

########## 1. Summary ##########

Vtiger CRM  <https://www.vtiger.com/open-source/> is a CRM application.

Vtiger CRM version 6.4 (“Open Source” branch; released on 2015-10-16) is
vulnerable to Authenticated Remote Code Execution.

This vulnerability is different than CVE-2015-6000 (in fact it is a
result of an insufficient fix for CVE-2015-6000).


########## 2. Vulnerability Details ##########

Vtiger CRM allows for the upload of a "company logo" from within the
administrative interface.

Multiple flaws in the Settings_Vtiger_CompanyDetailsSave_Action class
allow attackers to upload files with (almost) arbitrary contents,
including PHP code passing commands to the underlying operating system.

The previously mentioned vulnerability, CVE-2015-6000, was partially
caused by an insufficient file type check, relying on the MIME type
("Content-Type") sent by the client.

In an attempt to mitigate the resulting security issues, the following
"mime type check" was added with a Vtiger CRM 6.3 security patch
(released on 2015-10-06) and Vtiger CRM 6.4 (released on 2015-10-16):

//mime type check
$mimeType = mime_content_type($logoDetails['tmp_name']);
$mimeTypeContents = explode('/', $mimeType);
if (!$logoDetails['size'] || $mimeTypeContents[0] != 'image' || !in_array($mimeTypeContents[1], Settings_Vtiger_CompanyDetails_Model::$logoSupportedFormats)) {
    $saveLogo = false;
}

However, an attacker may choose to embed malicious PHP code within a
valid image file, for example as EXIF data of a JPEG file. Once the
server has received the attacker's JPEG file, mime_content_type() will
process it, correctly consider it to be a valid image file, and return
the MIME type "image/jpeg" -- which passes Vtiger's "mime type check".

Because Vtiger allows users to freely choose the name of an uploaded
file, even if the file's extension does not match the previously
determined MIME type, an attacker can upload the image file with a
".php" extension.

Vtiger CRM then saves the uploaded file's contents with the
client-specified file name in the publicly accessible "test/logo/"
directory.

The code can then be run by accessing the location of the uploaded file
(“<Vtiger URL>/test/logo/<attacker-specified file name>”).


########## 3. References ##########

Source: <http://b.fl7.de/2016/01/vtiger-crm-6.4-auth-rce.html>

Description of CVE-2015-6000:
<http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html>
[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ