Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu,  6 Aug 2015 16:23:19 -0400 (EDT)
From: cve-assign@...re.org
To: darren.martyn@...hosresearch.co.uk
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: SuiteCRM Post-Auth Race Condition Shell Upload Remote Code Execution.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I am requesting a CVE to be issued for the SuiteCRM product. There
> exists a race condition in the image upload verification component which
> leads to a race condition wherein an uploaded piece of PHP code exists
> on disc temporarily before being deleted, which can be leveraged to gain
> code execution. This vulnerability was introduced in version 7.2.2, as a
> patch to fix a prior code execution issue found in 7.2.1.
> 
> Github issue: https://github.com/salesagility/SuiteCRM/issues/333
> https://github.com/salesagility/SuiteCRM/commit/b1b3fd61c7697ad2073cd253d31c9462929e7bb5

> https://github.com/XiphosResearch/exploits/tree/master/suiteshell
> 
> SuiteCRM suffers a post-authentication shell upload vulnerability in
> its "Upload Company Logo" functionality, wherin it uses a blacklist in
> an attempt to prevent the upload of executable code. Furthermore, its
> "check for valid image" test leaves uploaded files in a tempdir that
> is web accessible. It is possible to bypass the blacklist to upload
> executable PHP code with the "phtml" extension to this temporary
> directory and thus gain code execution under the context of the
> webserver user

Use CVE-2015-5946 for the original incomplete blacklist vulnerability
in which an authenticated attacker could, at any time, upload an
executable file (such as a phtml file) to a location from which the
web server serves files.

The blacklist was:

        'php', 'php3', 'php4', 'php5', 'pl', 'cgi', 'py',
        'asp', 'cfm', 'js', 'vbs', 'html', 'htm' 


Use CVE-2015-5947 for the other original issue in which the:

  if(!verify_uploaded_image

code block does not attempt to restrict access after an "unverified"
file is detected. CVE-2015-5946 and CVE-2015-5947 seem to be
independently relevant, although possibly that depends on the "Found
{$m[0]} in $path, not allowing upload" code.


> The Post-Auth RCE allegedly "fixed" in Commit b1b3fd6 is not fixed.
> 
> The fix simply makes the bug slightly harder to exploit, turning it
> from a straight-shot file upload bug into a lovely race condition.
> 
> Do note, this fix could lead to the file being there for a short
> period of time leading to a race condition wherin the attacker simply
> has to beat the unlink to the punch and spawn a reverse shell/drop
> further malicious files/whatever.

Use CVE-2015-5948 for the race condition that exists because of the
incomplete fix for CVE-2015-5947.


> vulnerability in
> its "Upload Company Logo" functionality, wherin it uses a blacklist in
> an attempt to prevent the upload of executable code.

There is no CVE ID specifically for the concept of using blacklisting
rather than whitelisting. In practice, a large blacklist can be
constructed that results in a negligible chance that an allowed file
would be executable on a customer system with a realistic
configuration. This may be considered an unrecommended or overly risky
design, but the issue is not included in CVE.

> its
> "check for valid image" test leaves uploaded files in a tempdir that
> is web accessible.

There is no CVE ID specifically for the concept of using a temporary
directory that is web accessible. The same directory could be used,
without the race condition, in a number of ways -- possibly including
renaming files before initial storage, or some type of access control
for the directory. A web-accessible temporary directory is sometimes
unavoidable if the goal is to support installation in the widest
possible set of web-hosting environments.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJVw8GqAAoJEKllVAevmvmsIMoH/ibuwat8qEV1KMrGg/p5E3H8
uZNJnUWTqfkasLAT2UY/QHtmb1NAwBRAPHH39ex0dM2i2Kja4SkqSEGBO9fdGYfI
Li6Bgc5EuwD5v4Al89IJMe4paiOsRtXyT/AKcVFtKIqNkCvTQs60p0b7CrQVQmzC
3rOOch7xFm8qMV3Dwda0+DPtjFANTqdHcUpnmRYPtZORk3YGgIXhT1gA/XeHbBjH
/lmIcK98SLOr4WHHPAgRpZ6HRmclQr0lvQQqx96dxZEZwtNoEcG/ru8piEstej7c
nHU2eIddiuLo/ClSazb+ZBkBkFtXcynkJjosnYgMOCY47sUK6igwZvLTV2HbgVQ=
=fz7X
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.