CVE-2021-42840
published 2021-10-22CVE-2021-42840: SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover…
PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
58.95%
99.0th percentile
SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| salesagility | suitecrm | < 7.11.19 | 7.11.19 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for POST requests to index.php with module=Users, action=Save, where the last_name field contains PHP tags (<?php ... ?>) — this is the log-poisoning step that injects PHP code via the user profile. ↗
- →Alert on GET/POST requests to any file under the SuiteCRM web root matching a mixed-case .pHp (or similar) extension — this is the execution step where the poisoned log file is triggered as PHP. ↗
- →Look for the full exploit sequence: (1) admin login, (2) POST to Configurator SaveConfig with mixed-case logger_file_ext, (3) POST to Users Save with PHP payload in last_name, (4) GET request to the newly created mixed-case .pHp log file. ↗
- →The exploit leaves artifacts on disk (the mixed-case .pHp log file under the web root) and IOCs in logs (PHP code injected via last_name field). Check for unexpected .pHp/.Php files in the SuiteCRM web root. ↗
- ·Exploit requires authenticated admin credentials — it is not unauthenticated RCE. Admin account takeover is a prerequisite. ↗
- ·This is an incomplete fix bypass of CVE-2020-28328; the original fix only blocked all-lowercase PHP extensions. Mixed-case variants (e.g. .pHp) were not blocked until 7.11.19. ↗
- ·The Metasploit module also covers older CVE-2020-28328 versions where a blank file extension could be supplied and the extension provided in the file name. ↗
- ·The RESTORECONF option (default: true) will attempt to restore logger_file_name to 'suitecrm' and logger_file_ext to '.log' after exploitation, potentially hiding forensic evidence of the config change. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SuiteCRM 7.11.18 - Remote Code Execution (RCE) (Authenticated) (Metasploit)
exploitdb·2021-11-17
CVE-2021-42840 SuiteCRM 7.11.18 - Remote Code Execution (RCE) (Authenticated) (Metasploit)
SuiteCRM 7.11.18 - Remote Code Execution (RCE) (Authenticated) (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'SuiteCRM Log File Remote Code Execution',
'Description' => %q{
This module exploits an input validation error on the log file extension parameter. It does
not properly validate upper/lower case characters. Once this occurs, the application log file
will be treated as a php file. The log file can then be populated with php code by changing the
username of a valid user, as this info is logged. The php code in the file can then be executed
by sending an HTTP request to the log file. A similar issue was reported by the same researcher
where a blank file
Metasploit
SuiteCRM Log File Remote Code Execution
metasploit
SuiteCRM Log File Remote Code Execution
SuiteCRM Log File Remote Code Execution
This module exploits an input validation error on the log file extension parameter. It does not properly validate upper/lower case characters. Once this occurs, the application log file will be treated as a php file. The log file can then be populated with php code by changing the username of a valid user, as this info is logged. The php code in the file can then be executed by sending an HTTP request to the log file. A similar issue was reported by the same researcher where a blank file extension could be supplied and the extension could be provided in the file name. This exploit will work on those versions as well, and those references are included.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/165001/SuiteCRM-7.11.18-Remote-Code-Execution.htmlhttps://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/http/suitecrm_log_file_rce.rbhttps://suitecrm.com/time-to-upgrade-suitecrm-7-11-19-7-10-30-lts-released/https://theyhack.me/SuiteCRM-RCE-2/http://packetstormsecurity.com/files/165001/SuiteCRM-7.11.18-Remote-Code-Execution.htmlhttps://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/http/suitecrm_log_file_rce.rbhttps://suitecrm.com/time-to-upgrade-suitecrm-7-11-19-7-10-30-lts-released/https://theyhack.me/SuiteCRM-RCE-2/
2021-10-22
Published