Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 12 Jan 2016 12:03:56 +0100
From: Benjamin Daniel Mussler <sec@...fl7.de>
To: oss-security@...ts.openwall.com
CC: cve-assign@...re.org
Subject: CVE Request: Vtiger CRM 6.4 Authenticated Remote Code Execution


Please assign a CVE. Thanks.


Vtiger CRM 6.4 Authenticated Remote Code Execution

1. Summary
2. Vulnerability Details
3. References

########## 1. Summary ##########

Vtiger CRM  <https://www.vtiger.com/open-source/> is a CRM application.

Vtiger CRM version 6.4 (“Open Source” branch; released on 2015-10-16) is
vulnerable to Authenticated Remote Code Execution.

This vulnerability is different than CVE-2015-6000 (in fact it is a
result of an insufficient fix for CVE-2015-6000).


########## 2. Vulnerability Details ##########

Vtiger CRM allows for the upload of a "company logo" from within the
administrative interface.

Multiple flaws in the Settings_Vtiger_CompanyDetailsSave_Action class
allow attackers to upload files with (almost) arbitrary contents,
including PHP code passing commands to the underlying operating system.

The previously mentioned vulnerability, CVE-2015-6000, was partially
caused by an insufficient file type check, relying on the MIME type
("Content-Type") sent by the client.

In an attempt to mitigate the resulting security issues, the following
"mime type check" was added with a Vtiger CRM 6.3 security patch
(released on 2015-10-06) and Vtiger CRM 6.4 (released on 2015-10-16):

//mime type check
$mimeType = mime_content_type($logoDetails['tmp_name']);
$mimeTypeContents = explode('/', $mimeType);
if (!$logoDetails['size'] || $mimeTypeContents[0] != 'image' || !in_array($mimeTypeContents[1], Settings_Vtiger_CompanyDetails_Model::$logoSupportedFormats)) {
    $saveLogo = false;
}

However, an attacker may choose to embed malicious PHP code within a
valid image file, for example as EXIF data of a JPEG file. Once the
server has received the attacker's JPEG file, mime_content_type() will
process it, correctly consider it to be a valid image file, and return
the MIME type "image/jpeg" -- which passes Vtiger's "mime type check".

Because Vtiger allows users to freely choose the name of an uploaded
file, even if the file's extension does not match the previously
determined MIME type, an attacker can upload the image file with a
".php" extension.

Vtiger CRM then saves the uploaded file's contents with the
client-specified file name in the publicly accessible "test/logo/"
directory.

The code can then be run by accessing the location of the uploaded file
(“<Vtiger URL>/test/logo/<attacker-specified file name>”).


########## 3. References ##########

Source: <http://b.fl7.de/2016/01/vtiger-crm-6.4-auth-rce.html>

Description of CVE-2015-6000:
<http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html>
Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.