Christopher Kunz
25/11/05, 22:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hardened PHP Project
www.hardened-php.net
-= Security Advisory =-
Advisory: Multiple vulnerabilities in vTiger CRM
Release Date: 2005/11/24
Last Modified: 2005/11/24
Author: Christopher Kunz <christopher.kunz@hardened-php.net>
Application: vTiger 4.2 and prior
Severity: Cross-Site Scripting, SQL injection and information
disclosure, password hash disclosure, authentication bypass,
local file disclosure, remote code execution
Risk: High / Critical (depending on server configuration)
Vendor Status: Vendor informed. No fix available.
References: http://www.hardened-php.net/advisory_232005.105.html
Overview:
vtiger [1] is an open source customer relationship management system (CRM)
which is maintained by an indian company with the same name. It has been
forked off the SugarCRM project [2] in an earlier stage, thus a number of
issues reported by GulfTech Security in [3] are also present in vtiger. An
additional layer of insecurity has obviously been introduced by the devel-
opers, enabling malicious users to log in to the CRM without any creden-
tials whatsoever and execute remote code.
Details:
1) XSS issues-a-plenty
As James Bercegay reported, there is an abundance of XSS problems all
over the CRM, with only a few examples being the following:
- a malicious local user could create a contact, lead, account, poten-
tial or other data set that includes script code in any field. Typi-
cal fields would be first or last name, but nearly every other field
is possible, too. Then, the malicious user could send the link to
that contact to the administrator - and have the script code do what-
ever DOM operation is necessary to elevate privileges.
- Even easier and without any inside knowledge needed:
/index.php?action=DetailView&module=Leads&record=%3Cscript%3Ealert
('document.cookie')%3C/script%3E (as reported by James).
- Since the variable $_SERVER['PHP_SELF'] is used for most form actions,
and also for creating internal links, the string "><script>alert('xss')
</script> can be used to create a path-info XSS that exploits any
logged-in user. The URI parameters are irrelevant and have been
ommitted to keep the example clean.
Example:
/index.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E/?[params]
2) Remote XSS in RSS
vtiger features a comprehensive RSS aggregation module, allowing users
to read all their favorite blogs, news sites or other feeds from within
the CRM. However, no input checking is performed before aggregated feeds
are sent to the client. A malicious blog, news site or other feed could
socially engineer a user into aggregating it and then use script code to
elevate their privileges via DOM.
We are featuring this as a different attack class since the vector does
not require the CRM user to click on any links - being subscribed to an
seemingly interesting blog is enough to fall victim to this attack.
3) Authentication Bypass
If the php.ini setting "magic_quotes_gpc" is set to "Off", which is the
setting provided in php.ini-recommended, an attacker can bypass the
authentication process completely, by entering a fabricated user name.
Since the login form is prone to SQL injection (like any other form),
a username like "foo' or '%'='" leads to the following SQL statement:
SELECT *
FROM users
WHERE user_name='admin'
OR '%'='%'
AND user_password='adAZ2jidC3H1M'
This query returns 1 row with the administrator's credentials. This re-
sult set is used to determine that authentication was successful.
The attacker is now logged into the CRM system as the administrator and
can perform tasks like uploading the whole CRM instance to a remote sys-
tem, display system information - and of course mess around with the
customer data.
4) User credential disclosure via SQL Injection
Again, if magic_quotes_gpc is Off, a logged-in user can manipulate many
form fields into displaying arbitrary values, including user names and
passwords. Again, similar issues were reported by GulfTech - we have
found some more injection vulnerabilities like this one:
/?ticket_title=&contact_name=&priority=&status=&action=index&query=true&m
odule=HelpDesk&order_by=&sorder=ASC&viewname=0&button=Search&category=&da
te_crit=is&date=%27+UNION+SELECT+56%2CCONCAT%28user_name%2C+% 22%3A%22%2C+
user_password%29%2C+%22Open%22%2C%22Normal%22%2C1% 2C1%2C1%2C1%2C1%2C1%2C1
%2C1+from+users+where+users.user_name+LIKE+%27
This discloses all usernames and passwords in the bugtracker ticket list.
5) Unsafe file inclusion
The "action" and "module" parameters are prone to manipulation, allowing
display of arbitrary files on the server that runs vtiger. A similar bug
was reported for SugarCRM in the advisory described by CVE-2004-1227,
however the problem is far more widespread.
Since variables from GET, POST, COOKIE and SESSION are passed to
include() calls mostly without any checking, they can be abused to in-
clude any file on the local file system, by utilizing the %00 character
to null-terminate the include call.
6) Arbitrary code execution
Although remote file inclusion is not possible - all include() statements
are invariably prepended with relative paths - there is an easy way to
execute arbitrary code. Since vtiger does some extensive logging at every
stage of a user's session, one can just enter PHP code in any field, GET
parameter or wherever, and be sure that the code will be inserted into
a log message. A typical log message with injected PHP code looks like
this:
Fri Sep 16 15:43:10 2005,627 [4648] DEBUG VT - Message ->query being
executed : select crmentity.crmid, crmentity.smownerid,[truncated]
where crmentity.deleted=0 AND potentialname like '<?php phpinfo() ?>%'
Every log message is by default saved to the log file 'vtigercrm.log',
which by default resides in a directory accessible for the web server.
Using the vulnerability outlined in 5), an attacker can include the log
file into the CRM suite, prompting any included PHP code to be executed.
Proof of Concept:
Apart from the examples mentioned above, the Hardened PHP Project is not
going to release any PoC for these vulnerabilities to the public.
Disclosure Timeline:
16. September 2005 - Vendor informed.
10. October 2005 - Follow-up to vendor.
24. November 2005 - public disclosure
Recommendation:
Since there is currently no fixed version available, you should protect your
vTiger installation with the following measures:
1. Restrict access to vtigercrm*.log via .htaccess
2. Switch register_globals to Off.
3. Turn magic_quotes_gpc on.
4. Install the Hardening-Patch for PHP to disable %00 URL characters.
References:
[1] http://www.vtiger.com/
[2] http://www.sugarcrm.org/
[3] http://www.gulftech.org/?node=research&article_id=00053-120104
Plug:
You can discuss this and other vulnerabilities in our forum at
http://forum.hardened-php.net/ - an up-to-date list of advisories can be
found at http://www.hardened-php.net/.
GPG-Key:
http://www.hardened-php.net/hardened-php-signature-key.asc
pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1
Copyright 2005 Christopher Kunz / Hardened PHP Project. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFDhk3JRDkUzAqGSqERAjkcAJ4wE93dNFosxYC7OFgzKy V00ICMBQCgv8fc
3lx12Z2w3RURqGwuag/Waxk=
=SfEg
-----END PGP SIGNATURE-----
Hash: SHA1
Hardened PHP Project
www.hardened-php.net
-= Security Advisory =-
Advisory: Multiple vulnerabilities in vTiger CRM
Release Date: 2005/11/24
Last Modified: 2005/11/24
Author: Christopher Kunz <christopher.kunz@hardened-php.net>
Application: vTiger 4.2 and prior
Severity: Cross-Site Scripting, SQL injection and information
disclosure, password hash disclosure, authentication bypass,
local file disclosure, remote code execution
Risk: High / Critical (depending on server configuration)
Vendor Status: Vendor informed. No fix available.
References: http://www.hardened-php.net/advisory_232005.105.html
Overview:
vtiger [1] is an open source customer relationship management system (CRM)
which is maintained by an indian company with the same name. It has been
forked off the SugarCRM project [2] in an earlier stage, thus a number of
issues reported by GulfTech Security in [3] are also present in vtiger. An
additional layer of insecurity has obviously been introduced by the devel-
opers, enabling malicious users to log in to the CRM without any creden-
tials whatsoever and execute remote code.
Details:
1) XSS issues-a-plenty
As James Bercegay reported, there is an abundance of XSS problems all
over the CRM, with only a few examples being the following:
- a malicious local user could create a contact, lead, account, poten-
tial or other data set that includes script code in any field. Typi-
cal fields would be first or last name, but nearly every other field
is possible, too. Then, the malicious user could send the link to
that contact to the administrator - and have the script code do what-
ever DOM operation is necessary to elevate privileges.
- Even easier and without any inside knowledge needed:
/index.php?action=DetailView&module=Leads&record=%3Cscript%3Ealert
('document.cookie')%3C/script%3E (as reported by James).
- Since the variable $_SERVER['PHP_SELF'] is used for most form actions,
and also for creating internal links, the string "><script>alert('xss')
</script> can be used to create a path-info XSS that exploits any
logged-in user. The URI parameters are irrelevant and have been
ommitted to keep the example clean.
Example:
/index.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E/?[params]
2) Remote XSS in RSS
vtiger features a comprehensive RSS aggregation module, allowing users
to read all their favorite blogs, news sites or other feeds from within
the CRM. However, no input checking is performed before aggregated feeds
are sent to the client. A malicious blog, news site or other feed could
socially engineer a user into aggregating it and then use script code to
elevate their privileges via DOM.
We are featuring this as a different attack class since the vector does
not require the CRM user to click on any links - being subscribed to an
seemingly interesting blog is enough to fall victim to this attack.
3) Authentication Bypass
If the php.ini setting "magic_quotes_gpc" is set to "Off", which is the
setting provided in php.ini-recommended, an attacker can bypass the
authentication process completely, by entering a fabricated user name.
Since the login form is prone to SQL injection (like any other form),
a username like "foo' or '%'='" leads to the following SQL statement:
SELECT *
FROM users
WHERE user_name='admin'
OR '%'='%'
AND user_password='adAZ2jidC3H1M'
This query returns 1 row with the administrator's credentials. This re-
sult set is used to determine that authentication was successful.
The attacker is now logged into the CRM system as the administrator and
can perform tasks like uploading the whole CRM instance to a remote sys-
tem, display system information - and of course mess around with the
customer data.
4) User credential disclosure via SQL Injection
Again, if magic_quotes_gpc is Off, a logged-in user can manipulate many
form fields into displaying arbitrary values, including user names and
passwords. Again, similar issues were reported by GulfTech - we have
found some more injection vulnerabilities like this one:
/?ticket_title=&contact_name=&priority=&status=&action=index&query=true&m
odule=HelpDesk&order_by=&sorder=ASC&viewname=0&button=Search&category=&da
te_crit=is&date=%27+UNION+SELECT+56%2CCONCAT%28user_name%2C+% 22%3A%22%2C+
user_password%29%2C+%22Open%22%2C%22Normal%22%2C1% 2C1%2C1%2C1%2C1%2C1%2C1
%2C1+from+users+where+users.user_name+LIKE+%27
This discloses all usernames and passwords in the bugtracker ticket list.
5) Unsafe file inclusion
The "action" and "module" parameters are prone to manipulation, allowing
display of arbitrary files on the server that runs vtiger. A similar bug
was reported for SugarCRM in the advisory described by CVE-2004-1227,
however the problem is far more widespread.
Since variables from GET, POST, COOKIE and SESSION are passed to
include() calls mostly without any checking, they can be abused to in-
clude any file on the local file system, by utilizing the %00 character
to null-terminate the include call.
6) Arbitrary code execution
Although remote file inclusion is not possible - all include() statements
are invariably prepended with relative paths - there is an easy way to
execute arbitrary code. Since vtiger does some extensive logging at every
stage of a user's session, one can just enter PHP code in any field, GET
parameter or wherever, and be sure that the code will be inserted into
a log message. A typical log message with injected PHP code looks like
this:
Fri Sep 16 15:43:10 2005,627 [4648] DEBUG VT - Message ->query being
executed : select crmentity.crmid, crmentity.smownerid,[truncated]
where crmentity.deleted=0 AND potentialname like '<?php phpinfo() ?>%'
Every log message is by default saved to the log file 'vtigercrm.log',
which by default resides in a directory accessible for the web server.
Using the vulnerability outlined in 5), an attacker can include the log
file into the CRM suite, prompting any included PHP code to be executed.
Proof of Concept:
Apart from the examples mentioned above, the Hardened PHP Project is not
going to release any PoC for these vulnerabilities to the public.
Disclosure Timeline:
16. September 2005 - Vendor informed.
10. October 2005 - Follow-up to vendor.
24. November 2005 - public disclosure
Recommendation:
Since there is currently no fixed version available, you should protect your
vTiger installation with the following measures:
1. Restrict access to vtigercrm*.log via .htaccess
2. Switch register_globals to Off.
3. Turn magic_quotes_gpc on.
4. Install the Hardening-Patch for PHP to disable %00 URL characters.
References:
[1] http://www.vtiger.com/
[2] http://www.sugarcrm.org/
[3] http://www.gulftech.org/?node=research&article_id=00053-120104
Plug:
You can discuss this and other vulnerabilities in our forum at
http://forum.hardened-php.net/ - an up-to-date list of advisories can be
found at http://www.hardened-php.net/.
GPG-Key:
http://www.hardened-php.net/hardened-php-signature-key.asc
pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1
Copyright 2005 Christopher Kunz / Hardened PHP Project. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFDhk3JRDkUzAqGSqERAjkcAJ4wE93dNFosxYC7OFgzKy V00ICMBQCgv8fc
3lx12Z2w3RURqGwuag/Waxk=
=SfEg
-----END PGP SIGNATURE-----