CVE-2012-0694
published 2019-10-29CVE-2012-0694: SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote attackers to execute arbitrary PHP code.
PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
67.26%
99.2th percentile
SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote attackers to execute arbitrary PHP code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sugarcrm | sugarcrm | <= 6.3.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on HTTP requests to 'pathCache.php' at the SugarCRM web root, especially those carrying a 'Cmd' HTTP header with a base64-encoded value — this is the webshell execution step. ↗
- →Monitor for creation of 'pathCache.php' in the SugarCRM web root directory; this file is written by the exploit as a PHP webshell via the SugarTheme __destruct() method. ↗
- →Inspect POST bodies to SugarCRM's index.php for the 'firstrow' parameter containing base64-encoded serialized data, targeting the Import module's unserialize() sink. ↗
- →Look for authentication attempts followed immediately by a POST to index.php with module=Contacts and a large base64 blob in current_query_by_page — this two-step pattern is characteristic of the exploit chain. ↗
- ·Exploitation requires valid credentials — the attacker must authenticate before triggering the unserialize() vulnerability. Detection should account for the authenticated context. ↗
- ·Multiple vulnerable unserialize() sinks exist across different files and parameters (current_query_by_page, firstrow); detection rules must cover all sinks, not just view.list.php. ↗
- ·The Metasploit module attempts to clean up the dropped webshell (pathCache.php) after session establishment via Meterpreter; forensic artifact may be short-lived. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SugarCRM CE 6.3.1 - 'Unserialize()' PHP Code Execution (Metasploit)
exploitdb·2012-06-26
CVE-2012-0694 SugarCRM CE 6.3.1 - 'Unserialize()' PHP Code Execution (Metasploit)
SugarCRM CE 6.3.1 - 'Unserialize()' PHP Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'SugarCRM %q{
This module exploits a php unserialize() vulnerability in SugarCRM
[
'EgiX', # Vulnerability discovery and PoC
'juan vazquez', # Metasploit module
'sinn3r' # Metasploit module
],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2012-0694' ],
[ 'EDB', '19381' ],
[ 'URL', 'http://www.sugarcrm.com/forums/f22/critical-security-vulnerability-76537/' ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch'
Exploit-DB
SugarCRM CE 6.3.1 - 'Unserialize()' PHP Code Execution
exploitdb·2012-06-23
CVE-2012-0694 SugarCRM CE 6.3.1 - 'Unserialize()' PHP Code Execution
SugarCRM CE 6.3.1 - 'Unserialize()' PHP Code Execution
---
populateFromArray(unserialize(base64_decode($query)));
include/generic/Save2.php:197: $current_query_by_page_array = unserialize(base64_decode($current_query_by_page));
include/MVC/Controller/SugarController.php:593: $_REQUEST = unserialize(base64_decode($temp_req['current_query_by_page']));
include/MVC/View/views/view.list.php:82: $current_query_by_page = unserialize(base64_decode($_REQUEST['current_query_by_page']));
modules/Import/Importer.php:536: $firstrow = unserialize(base64_decode($_REQUEST['firstrow']));
modules/ProjectTask/views/view.list.php:95: $current_query_by_page = unserialize(base64_decode($_REQUEST['current_query_by_page']));
The vulnerability is caused due to all these scripts using "unserialize()" with user c
Metasploit
SugarCRM unserialize() PHP Code Execution
metasploit
SugarCRM unserialize() PHP Code Execution
SugarCRM unserialize() PHP Code Execution
This module exploits a php unserialize() vulnerability in SugarCRM <= 6.3.1 which could be abused to allow authenticated SugarCRM users to execute arbitrary code with the permissions of the webserver. The dangerous unserialize() exists in the 'include/MVC/View/views/view.list.php' script, which is called with user controlled data from the 'current_query_by_page' parameter. The exploit abuses the __destruct() method from the SugarTheme class to write arbitrary PHP code to a 'pathCache.php' on the web root.
No writeups or analysis indexed.
2019-10-29
Published