This module exploits CVE-2023-22952, a Remote Code Execution (RCE) vulnerability in SugarCRM 11.0 Enterprise,
Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and
Serve versions prior to 12.0.2.
The vulnerability occurs due to a lack of appropriate validation when uploading a malicious PNG file with
embedded PHP code to the /cache/images/ directory on the web server using the vulnerable endpoint
/index.php?module=EmailTemplates&action=AttachFiles. Once uploaded to the server, depending on server configuration,
the attacker can access the malicious PNG file via HTTP or HTTPS, thereby executing the malicious PHP code and
gaining access to the system.
This vulnerability does not require authentication because there is a missing authentication check in the
loadUser() method in include/MVC/SugarApplication.php. After a failed login, the session does not get
destroyed and hence the attacker can continue to send valid requests to the application.
Because of this, any remote attacker, regardless of authentication, can exploit this vulnerability to gain
access to the underlying operating system as the user that the web services are running as (typically www-data).
msf > use exploit/multi/http/sugarcrm_webshell_cve_2023_22952
msf exploit(sugarcrm_webshell_cve_2023_22952) > show targets
...targets...
msf exploit(sugarcrm_webshell_cve_2023_22952) > set TARGET < target-id >
msf exploit(sugarcrm_webshell_cve_2023_22952) > show options
...show and set options...
msf exploit(sugarcrm_webshell_cve_2023_22952) > exploit
Vulmon