Investigation and Solution | Vtiger Vulnerability (Elastix) | Blackhattrick

Investigation and Solution | Vtiger Vulnerability (Elastix) | Blackhattrick

As a part of SOC team, we observed attacker (someone) from outside tried to exploit Vtiger vulnerability by exploiting one of the vulnerability invented in mid of 2012.

Actually he is trying to access one file i.e. Amportal.conf, this file consist of all passwords information and probably be used to view most any file on the system        

Here is brief explanation:

About Vtiger:-

I. BACKGROUND

Vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal

for small and medium businesses, with low-cost product support available

to production users that need reliable support.

II. DESCRIPTION

Multiple Vulnerabilities exist in Vtiger CRM software.

III. ANALYSIS

Summary:

 A) Remote Code Execution (RCE) Vulnerability

 B) Local File Inclusion (LFI) Vulnerability (pre-auth)

 C) Cross Site Scripting (XSS) Vulnerabilities (pre-auth, reflected)

 D) Cross Site Scripting (XSS) Vulnerabilities (post-auth, reflected)

 Code we observed:

https://myipadddress/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..//etc/amportal.conf

When user browses this URL the amportal.conf was displayed, including all passwords therein.

Obviously the sortfieldsjson.php file is being used to access amportal.conf and can probably be used to view most any file on the system        

Disclosure Date : 2012-03-21

Exploit Publish Date : 2012-03-21

Description:

Vtiger CRM contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the sortfieldsjson.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g. /../) supplied via the 'module_name' parameter. This directory traversal attack would allow the attacker to read arbitrary files.

Recommendation:

Ø  Kindly check the version of Vtiger they are using and update or patch it.

Ø  I strongly recommend that if you run Elastix (which includes Vtiger even if you don’t use it) that you either -

Limit access to the web interface of your server to only specific IP addresses.

If you don’t use Vtiger then disable access to the interface by running.

Upgrading Elastix? Read this FAQ Now!!

elx.ec/upgfaq

Elastix Docs : 

elx.ec/elastixtutorials

www.elastixconnection.com

Elastix Fault Finding Guide

elx.ec/faultfind

Root Cause Analysis :

After proper investigation we observed that attacker exploited the vulnerability as shown above in Linux Platform and we are using Windows based OS  then we got confirmation that we are not using Vtiger on our environment. Also I personally did investigation of that particular server.

Share Your Knowledge................................by comment

-Regards,

Blackhattrick blog

(sms GeniusHacker on 9870807070)or

http://labs.google.co.in/smschannels/channel/GeniusHacker