Publish date: January 24 2017
Versions affected: 7.0.e and later
Fixed version: 7.3 SP3
Author: Chris McCurley
Release notes for the version containing appropriate fixes are located at SageCRM’s community site.
Authenticated Arbitrary File Upload via SageCRM Component Manager (CVE-2017-5219)
The Component Manager functionality, provided by SageCRM, permits additional components to be added to the application to enhance application functionality.
This functionality allows any zip file to be uploaded and extracted to the
inf directory outside of the webroot, so long as it contains a
.ecf component file.
As no validation is performed on this
.ecf file, an empty file is sufficient. Hence, by creating a zip file containing an empty
.ecf file, it is possible to have any other file provided in the zip file extracted onto the target filesystem.
Understanding exactly where the files are dropped in the filesystem is helped by validation errors shown to the user when zip file contents or file format is not expected:
So now it is simple enough to craft a malicious zip file, and be confident that the extracted files will land where we want.
In this case, a web shell with the filename
..\WWWRoot\CustomPages\aspshell.asp was included within the zip file that, when extracted, traversed back out of the
inf directory and into the SageCRM webroot. This permitted remote interaction with the underlying filesystem with the highest privilege level,
SYSTEM. The below example zip file is what was provided to the ComponentManager:
Archive: aspshell.zip Length Name -------- ---- 914 ..\WWWRoot\CustomPages\aspshell.asp 0 nope.ecf
By accessing the following URL, interaction with the web shell can be obtained:
Authenticated SQL Injection in SageCRM AP_DocumentUI.asp resource (CVE-2017-5218)
AP_DocumentUI.asp web resource includes
Utilityfuncs.js. This file crafts a SQL statement, prior to an automated web request back to
AP_DocumentUI.asp, to identify the database that is to be used with the current user’s session. The
database variable can be populated from the URL; when supplied non-expected characters, it can manipulate the SQL query in order to cause SQL injection:
http://host:port/CRM/CustomPages/ACCPAC/AP_DocumentUI.asp?SID=<VALID-SID>&database=1';WAITFOR DELAY '0:0:5'--