CVE-2020-28328
published 2020-11-06CVE-2020-28328: SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account…
PriorityP277high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
64.09%
99.1th percentile
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| salesagility | suitecrm | < 7.11.19 | 7.11.19 |
| salesagility | suitecrm | < 7.11.17 | 7.11.17 |
Detection & IOCsextracted from sources · hover to see the quote
commandmodule=Users&record=1&action=Save&page=EditView&return_action=DetailView&last_name=<php_payload>↗
- →Detect POST to index.php with module=Users, action=Save, and a last_name field containing PHP tags (e.g. <?php) — this is the log-poisoning step that injects PHP code into the malicious log file. ↗
- →Detect GET requests to web-root PHP files matching the pattern shell-[a-z]{6}.php — this is the RCE trigger step where the attacker fetches the poisoned log file for execution. ↗
- →The bypass relies on supplying a blank logger_file_ext while embedding the .php extension inside logger_file_name — alert on any Configurator SaveConfig request where logger_file_ext is empty. ↗
- →CVE-2021-42840 (incomplete fix) also allows mixed-case PHP extensions (e.g. .PHP, .Php) in logger_file_name — extend detection to case-insensitive matching of PHP file extensions in Configurator SaveConfig requests. ↗
- →Monitor for the presence of newly created PHP files in the SuiteCRM web root whose names match shell-[a-z]{6}.php — these are attacker-dropped webshells created via log file redirection. ↗
- →The Metasploit module targets this same vulnerability via the linux/http/suitecrm_log_file_rce path — hunt for this module reference in network/proxy logs or IDS signatures. ↗
- ·The exploit requires an authenticated administrator session — the attacker must first obtain valid admin credentials before exploiting the log file RCE. ↗
- ·The logger_level must be set to 'info' (not 'fatal') for the PHP payload in last_name to be written into the log file — detection rules should account for this transient configuration state. ↗
- ·The CVE-2021-42840 incomplete-fix variant works on SuiteCRM before 7.11.19 and uses mixed-case PHP extensions rather than a blank extension — the same Metasploit module covers both variants. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9rqh-fr4c-99v2: SuiteCRM before 7
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2021-42840 [HIGH] CWE-434 GHSA-9rqh-fr4c-99v2: SuiteCRM before 7
SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328.
GHSA
GHSA-4c2c-97pg-w9x9: SuiteCRM before 7
ghsa_unreviewed·2022-05-24
CVE-2020-28328 [HIGH] CWE-434 GHSA-4c2c-97pg-w9x9: SuiteCRM before 7
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.
No detection rules found.
Exploit-DB
SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)
exploitdb·2020-11-09·CVSS 8.8
CVE-2020-28328 [HIGH] SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)
SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)
---
# Exploit Title: SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)
# Date: 08 NOV 2020
# Exploit Author: M. Cory Billington (@_th3y)
# Vendor Homepage: https://suitecrm.com/
# Software Link: https://github.com/salesagility/SuiteCRM
# Version: 7.11.15 and below
# Tested on: Ubuntu 20.04 LTS
# CVE: CVE-2020-28328
# Writeup: https://github.com/mcorybillington/SuiteCRM-RCE
from requests import Session
from random import choice
from string import ascii_lowercase
url = "http://127.0.0.1/" # URL to remote host web root
post_url = "{url}index.php".format(url=url)
user_name = "admin" # User must be an administrator
password = "admin"
prefix = 'shell-'
file_name = '{prefix}{rand}.php'.format(
prefix=prefi
Metasploit
SuiteCRM Log File Remote Code Execution
metasploit
SuiteCRM Log File Remote Code Execution
SuiteCRM Log File Remote Code Execution
This module exploits an input validation error on the log file extension parameter. It does not properly validate upper/lower case characters. Once this occurs, the application log file will be treated as a php file. The log file can then be populated with php code by changing the username of a valid user, as this info is logged. The php code in the file can then be executed by sending an HTTP request to the log file. A similar issue was reported by the same researcher where a blank file extension could be supplied and the extension could be provided in the file name. This exploit will work on those versions as well, and those references are included.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/159937/SuiteCRM-7.11.15-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/162975/SuiteCRM-Log-File-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/165001/SuiteCRM-7.11.18-Remote-Code-Execution.htmlhttps://github.com/mcorybillington/SuiteCRM-RCEhttps://suitecrm.com/suitecrm-7-11-17-7-10-28-lts-versions-released/http://packetstormsecurity.com/files/159937/SuiteCRM-7.11.15-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/162975/SuiteCRM-Log-File-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/165001/SuiteCRM-7.11.18-Remote-Code-Execution.htmlhttps://github.com/mcorybillington/SuiteCRM-RCEhttps://suitecrm.com/suitecrm-7-11-17-7-10-28-lts-versions-released/
2020-11-06
Published