[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] vTiger CRM 5.2.x <= Remote Code Execution Vulnerability

To: full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>, bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, secalert@xxxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, vuln <vuln@xxxxxxxxxxx>, vuln@xxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, moderators@xxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] vTiger CRM 5.2.x <= Remote Code Execution Vulnerability
From: YGN Ethical Hacker Group <lists@xxxxxxxx>
Date: Wed, 5 Oct 2011 18:02:30 +0800

vTiger CRM 5.2.x <= Remote Code Execution Vulnerability


1. OVERVIEW

The vTiger CRM 5.2.1 and lower versions are vulnerable to Remote Code
Execution. No fixed version has been released as of 2011-10-05.


2. BACKGROUND

vtiger CRM is a free, full-featured, 100% Open Source CRM software
ideal for small and medium businesses, with low-cost product support
available to production users that need reliable support. vtiger CRM
is a widely used product with thousands of users in dozens of
countries.  It has a vibrant community of users driving the product
forward, and contributing to it's development.  Over 2 million copies
of vtiger CRM have been downloaded so far. It was launched as a fork
of version 1.0 of the SugarCRM project launched on December 31st,
2004.


3. VULNERABILITY DESCRIPTION

vTiger uses the vulnerable version of phpmailer class file located at
/cron/class.phpmailer.php .


4. VERSIONS AFFECTED

Tested on 5.2.1


5. PROOF-OF-CONCEPT/EXPLOIT

File: /cron/class.phpmailer.php
[code]

391:    function SendmailSend($header, $body) {
392:    if ($this->Sender != "")
393:       $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail,
$this->Sender);
394:    else
395:       $sendmail = sprintf("%s -oi -t", $this->Sendmail);
                        
[/code]


6. SOLUTION

The vendor hasn't attempted to incorporate the latest version of
phpMailer class in their vTigerCRM as of version 5.2.1.

The flawed code portion can be patched with:

393: $sendmail = sprintf("%s -oi -f %s -t",
escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
395: $sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail));


7. VENDOR

vTiger Development Team
http://www.vtiger.com/


8. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2010-12-08: notified vendor
2011-10-05: no fixed version released yet
2011-10-05: vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_rce
Wiki VtigerCRM: https://secure.wikimedia.org/wikipedia/en/wiki/Vtiger_CRM
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215

#yehg [2011-10-05]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] vTiger CRM 5.2.x <= Remote Code Execution Vulnerability
  - From: Benji

Prev by Date: Re: [Full-disclosure] New open source Security Framework
Next by Date: [Full-disclosure] vTiger CRM 5.2.x <= Blind SQL Injection Vulnerability
Previous by thread: [Full-disclosure] VMSA-2011-0011 VMware hosted products address remote code execution vulnerability
Next by thread: Re: [Full-disclosure] vTiger CRM 5.2.x <= Remote Code Execution Vulnerability
Index(es):
- Date
- Thread