Vulnerability Disclosure - SageCRM - SQL Injection, Arbitrary File Upload

CVE-2017-5219, CVE-2017-5218
Publish date: January 24 2017
Vendor: Sage
Product: SageCRM
Versions affected: 7.0.e and later
Fixed version: 7.3 SP3
Author: Chris McCurley

Release notes for the version containing appropriate fixes are located at SageCRM’s community site.

Authenticated Arbitrary File Upload via SageCRM Component Manager (CVE-2017-5219)

The Component Manager functionality, provided by SageCRM, permits additional components to be added to the application to enhance application functionality. This functionality allows any zip file to be uploaded and extracted to the inf directory outside of the webroot, so long as it contains a .ecf component file. As no validation is performed on this .ecf file, an empty file is sufficient. Hence, by creating a zip file containing an empty .ecf file, it is possible to have any other file provided in the zip file extracted onto the target filesystem.

Understanding exactly where the files are dropped in the filesystem is helped by validation errors shown to the user when zip file contents or file format is not expected:

So now it is simple enough to craft a malicious zip file, and be confident that the extracted files will land where we want.

In this case, a web shell with the filename ..\WWWRoot\CustomPages\aspshell.asp was included within the zip file that, when extracted, traversed back out of the inf directory and into the SageCRM webroot. This permitted remote interaction with the underlying filesystem with the highest privilege level, SYSTEM. The below example zip file is what was provided to the ComponentManager:

 Archive:  aspshell.zip
  Length      Name
  --------    ----  
   914        ..\WWWRoot\CustomPages\aspshell.asp
        0     nope.ecf

By accessing the following URL, interaction with the web shell can be obtained: http://host:port/CRM/CustomPages/aspshell.asp

Authenticated SQL Injection in SageCRM AP_DocumentUI.asp resource (CVE-2017-5218)

The AP_DocumentUI.asp web resource includes Utilityfuncs.js. This file crafts a SQL statement, prior to an automated web request back to AP_DocumentUI.asp, to identify the database that is to be used with the current user’s session. The database variable can be populated from the URL; when supplied non-expected characters, it can manipulate the SQL query in order to cause SQL injection:

PoC: http://host:port/CRM/CustomPages/ACCPAC/AP_DocumentUI.asp?SID=<VALID-SID>&database=1';WAITFOR DELAY '0:0:5'--