SuiteCRM Log File RCE

First time Metasploit Framework contributor mcorybillington has added a new module for SuiteCRM versions 7.11.18 and below. This module takes advantage of the input validation being case sensitive, allowing for an authenticated user to rename the SuiteCRM log file to have an extension of .pHp. Once changed, the log file can be poisoned with arbitrary php code and executed by sending an HTTP request to the log file. One additional note is that the php code is sanitized, limiting the executable php code.

Cacti Color Filter Authenticated SQL Injection to RCE

Metasploit contributor h00die has added a new module which exploits a SQL injection vulnerability in Cacti 1.2.12 and before. This exploit allows an admin to inject a query into the filter parameter within color.php to pull arbitrary values as well as conduct stacked queries. With stacked queries, the path_php_binary value is then changed within the settings table to a payload, and an update is called to execute the payload.

New module content (2)

  • SuiteCRM Log File Remote Code Execution by M. Cory Billington, which exploits CVE-2020-28328 - This adds an exploit that targets SuiteCRM versions 7.11.18 and below. An authenticated user can rename the SuiteCRM log file to have an extension of .pHp. The log file can then be poisoned with arbitrary php code by modifying user account information, such as the user's last name. Authenticated code execution is then achieved by requesting the log file.
  • Cacti color filter authenticated SQLi to RCE by Leonardo Paiva, Mayfly277, and h00die, which exploits CVE-2020-14295 - This adds a module that exploits an authenticated SQL injection vulnerability in Cacti versions 1.2.12 and below. The module optionally saves Cacti creds and uses stacked queries to change the path_php_binary value to execute a payload and get code execution on the server.

Enhancements and features

  • #15251 from pingport80 - This adds support for obtaining a stat object from the Post API via shell sessions when the stat command is available.
  • #15260 from pingport80 - This adds a #pidof method that works with either Meterpreter or shell sessions and updates the #get_processes method to failover to command execution if it fails for some reason.
  • #15263 from adfoster-r7 - Adds a -p flag to the analyze command, allowing users to specify a payload that should be considered for use with any suggested exploit modules. Output will inform the user if the specified payload can be used with suggested payloads.

Bugs fixed

  • #15194 from agalway-r7 - Fixes a bug where msfconsole would crash when connected to a remote dataservice and tab completing possible RPORT values
  • #15289 from zeroSteiner - Corrects a command mapping for meterpreter API requirements in the Msf::Post::Windows::MSSQL mixin.
  • #15291 from gwillcox-r7 - Fixes a crash within the FortiOS SSL VPN Credential Leak module when run against a target which is not running FortiOS.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).