RE: Advisory 23/2005: vTiger multiple vulnerabilities

From: Bug Traq Lists (bug.traq.mail_at_gmail.com)
Date: 11/25/05

  • Next message: Vincent Danen: "Re: Mandriva Security"
    To: <bugtraq@securityfocus.com>
    Date: Fri, 25 Nov 2005 13:38:46 -0800
    
    

    Hi,

    As to #4, restricting access to vtigercrm*.log is not enough. You must
    restrict access to vtigercrm*.log* or even *.log*, as vTiger rotates its
    logs such as vtigercrm.log.1, etc...

    - Daniel

    >Recommendation:
    >
    > Since there is currently no fixed version available, you should
    protect >your
    > vTiger installation with the following measures:
    > 1. Restrict access to vtigercrm*.log via .htaccess
    > 2. Switch register_globals to Off.
    > 3. Turn magic_quotes_gpc on.
    > 4. Install the Hardening-Patch for PHP to disable %00 URL
    characters.

    -----Original Message-----
    From: Christopher Kunz [mailto:christopher.kunz@hardened-php.net]
    Sent: Thursday, November 24, 2005 3:05 PM
    To: bugtraq@securityfocus.com
    Subject: Advisory 23/2005: vTiger multiple vulnerabilities

    *** PGP Signature Status: good
    *** Signer: Hardened-PHP Signature Key (Invalid)
    *** Signed: 11/24/2005 3:33:29 PM
    *** Verified: 11/25/2005 12:51:49 PM
    *** BEGIN PGP VERIFIED MESSAGE ***

                            Hardened PHP Project
                            www.hardened-php.net

                          -= Security Advisory =-

         Advisory: Multiple vulnerabilities in vTiger CRM
     Release Date: 2005/11/24
    Last Modified: 2005/11/24
           Author: Christopher Kunz <christopher.kunz@hardened-php.net>
      Application: vTiger 4.2 and prior
         Severity: Cross-Site Scripting, SQL injection and information
                        disclosure, password hash disclosure, authentication
    bypass,
                        local file disclosure, remote code execution
             Risk: High / Critical (depending on server configuration)
    Vendor Status: Vendor informed. No fix available.
       References: http://www.hardened-php.net/advisory_232005.105.html

    Overview:

       vtiger [1] is an open source customer relationship management system
    (CRM)
       which is maintained by an indian company with the same name. It has
    been
       forked off the SugarCRM project [2] in an earlier stage, thus a
    number of
       issues reported by GulfTech Security in [3] are also present in
    vtiger. An
       additional layer of insecurity has obviously been introduced by the
    devel-
       opers, enabling malicious users to log in to the CRM without any
    creden-
       tials whatsoever and execute remote code.

    Details:

       1) XSS issues-a-plenty
          As James Bercegay reported, there is an abundance of XSS problems
    all
          over the CRM, with only a few examples being the following:
          - a malicious local user could create a contact, lead, account,
    poten-
            tial or other data set that includes script code in any field.
    Typi-
            cal fields would be first or last name, but nearly every other
    field
            is possible, too. Then, the malicious user could send the link
    to
            that contact to the administrator - and have the script code do
    what-
            ever DOM operation is necessary to elevate privileges.
          - Even easier and without any inside knowledge needed:
     
    /index.php?action=DetailView&module=Leads&record=%3Cscript%3Ealert
            ('document.cookie')%3C/script%3E (as reported by James).
          - Since the variable $_SERVER['PHP_SELF'] is used for most form
    actions,
            and also for creating internal links, the string
    "><script>alert('xss')
            </script> can be used to create a path-info XSS that exploits
    any
            logged-in user. The URI parameters are irrelevant and have been
            ommitted to keep the example clean.
            Example:
            /index.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E/?[params]

       2) Remote XSS in RSS
          vtiger features a comprehensive RSS aggregation module, allowing
    users
          to read all their favorite blogs, news sites or other feeds from
    within
          the CRM. However, no input checking is performed before aggregated
    feeds
          are sent to the client. A malicious blog, news site or other feed
    could
          socially engineer a user into aggregating it and then use script
    code to
          elevate their privileges via DOM.
          We are featuring this as a different attack class since the vector
    does
          not require the CRM user to click on any links - being subscribed
    to an
          seemingly interesting blog is enough to fall victim to this
    attack.

       3) Authentication Bypass
          If the php.ini setting "magic_quotes_gpc" is set to "Off", which
    is the
          setting provided in php.ini-recommended, an attacker can bypass
    the
          authentication process completely, by entering a fabricated user
    name.
          Since the login form is prone to SQL injection (like any other
    form),
          a username like "foo' or '%'='" leads to the following SQL
    statement:
                          SELECT *
                          FROM users
                          WHERE user_name='admin'
                          OR '%'='%'
                          AND user_password='adAZ2jidC3H1M'
          This query returns 1 row with the administrator's credentials.
    This re-
          sult set is used to determine that authentication was successful.
          The attacker is now logged into the CRM system as the
    administrator and
          can perform tasks like uploading the whole CRM instance to a
    remote sys-
          tem, display system information - and of course mess around with
    the
          customer data.

       4) User credential disclosure via SQL Injection
          Again, if magic_quotes_gpc is Off, a logged-in user can manipulate
    many
          form fields into displaying arbitrary values, including user names
    and
          passwords. Again, similar issues were reported by GulfTech - we
    have
          found some more injection vulnerabilities like this one:
     
    /?ticket_title=&contact_name=&priority=&status=&action=index&query=true&
    m
     
    odule=HelpDesk&order_by=&sorder=ASC&viewname=0&button=Search&category=&d
    a
     
    te_crit=is&date=%27+UNION+SELECT+56%2CCONCAT%28user_name%2C+%22%3A%22%2C
    +
     
    user_password%29%2C+%22Open%22%2C%22Normal%22%2C1%2C1%2C1%2C1%2C1%2C1%2C
    1
          %2C1+from+users+where+users.user_name+LIKE+%27
          This discloses all usernames and passwords in the bugtracker
    ticket list.

       5) Unsafe file inclusion
          The "action" and "module" parameters are prone to manipulation,
    allowing
          display of arbitrary files on the server that runs vtiger. A
    similar bug
          was reported for SugarCRM in the advisory described by
    CVE-2004-1227,
          however the problem is far more widespread.
          Since variables from GET, POST, COOKIE and SESSION are passed to
          include() calls mostly without any checking, they can be abused to
    in-
          clude any file on the local file system, by utilizing the %00
    character
          to null-terminate the include call.

       6) Arbitrary code execution
          Although remote file inclusion is not possible - all include()
    statements
          are invariably prepended with relative paths - there is an easy
    way to
          execute arbitrary code. Since vtiger does some extensive logging
    at every
          stage of a user's session, one can just enter PHP code in any
    field, GET
          parameter or wherever, and be sure that the code will be inserted
    into
          a log message. A typical log message with injected PHP code looks
    like
          this:
          Fri Sep 16 15:43:10 2005,627 [4648] DEBUG VT - Message ->query
    being
          executed : select crmentity.crmid, crmentity.smownerid,[truncated]
          where crmentity.deleted=0 AND potentialname like '<?php phpinfo()
    ?>%'
          Every log message is by default saved to the log file
    'vtigercrm.log',
          which by default resides in a directory accessible for the web
    server.
          Using the vulnerability outlined in 5), an attacker can include
    the log
          file into the CRM suite, prompting any included PHP code to be
    executed.

    Proof of Concept:

       Apart from the examples mentioned above, the Hardened PHP Project is
    not
       going to release any PoC for these vulnerabilities to the public.

    Disclosure Timeline:

       16. September 2005 - Vendor informed.
       10. October 2005 - Follow-up to vendor.
       24. November 2005 - public disclosure

    Recommendation:

       Since there is currently no fixed version available, you should
    protect your
       vTiger installation with the following measures:
       1. Restrict access to vtigercrm*.log via .htaccess
       2. Switch register_globals to Off.
       3. Turn magic_quotes_gpc on.
       4. Install the Hardening-Patch for PHP to disable %00 URL characters.

    References:

       [1] http://www.vtiger.com/
       [2] http://www.sugarcrm.org/
       [3] http://www.gulftech.org/?node=research&article_id=00053-120104

    Plug:

       You can discuss this and other vulnerabilities in our forum at
       http://forum.hardened-php.net/ - an up-to-date list of advisories can
    be
       found at http://www.hardened-php.net/.

    GPG-Key:

       http://www.hardened-php.net/hardened-php-signature-key.asc

       pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
       Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

    Copyright 2005 Christopher Kunz / Hardened PHP Project. All rights
    reserved.

    *** END PGP VERIFIED MESSAGE ***


  • Next message: Vincent Danen: "Re: Mandriva Security"