Deep analysis SugarCRM PHP code injection

This article is going to make it easier to understand this vulnerability by looking at incoming data in the code by requesting statements

Http://[host]/[sugar]/index.php?module=connectors&action=runtest&source_id=ext_rest_insideview&ext _rest_insideview_[%27.phpinfo ().%27]=1

The final effect is that the program executes the phpinfo () function.

Process Analysis

Entry function Action_runtest ()

When the POC is accessed, the program enters the Action_runtest () function in the modules/connectors/controller.php.

One of the source_id is the Ext_rest_insideview in the POC, as to why it was introduced, and then the analysis will be discussed.

Sourcefactory::getsource ()

Trace Sourcefactory::getsource () function, enter include/connectors/sources/sourcefactory.php

It was found that the Connectorfactory::load () method was invoked, where the $class was the incoming Ext_rest_insideview

Load ()

Trace the Connectorfactory::load () function into the include/connectors/connectorfactory.php. Discover the load () function and call the LoadClass () function.

In the LoadClass () function, you will try to import a file, and the imported format is .../connectors/{$type}/{$dir}/$file. Where $type is an incoming sources, the $dir is a path that replaces _ in $class (Ext_rest_insideview in this POC) string, so the last $dir value is Ext/rest/insideview. This is also shown in the picture, $file is the last value of the path insideview.php. The final program will try to find the corresponding file, if not found will be an error.

Therefore, the Source_id=ext_rest_insideview in the POC can not be arbitrarily written as any value. If written as Source_id=a_b_c, then the LoadClass () can not be found when the file causes the program can not be executed, then payload useless.

Setsetproperties ()

After the analysis of the LoadClass () is completed, the entry function action_runtest () is finally returned.
The program is executed down into the SetProperties () method.

One of the foreach () assigns the incoming value to the $properties, and the resulting $properties value is shown in the picture on the left, which is
[''] ['. Phpinfo (). '] = ' 1 ';
Trace SetProperties (), enter the Include/connectors/sources/default/source.php,setproperties () code as follows:

Public Function SetProperties ($properties =array ())
{
if (!empty ($this->_config) && isset ($this->_config[' Properties ')) {
$this->_config[' properties '] = $properties;
$this->config_decrypted = true; Don ' t decrypt external configs
}
}

So the last thing you get in config is:

$config [' Properties '] ['] []. Phpinfo (). '] = ' 1 ';
Saveconfig ()

After parsing the setproperties (), return to the entry function action_runtest ().
The program continues to go down and into the Saveconfig ().

The key is to change the key-value pairs in the variable $this_config and call the Override_value_to_string_recursive2 () function into a string.

Override_value_to_string_recursive2 ()

Follow Override_value_to_string_recursive2 () and enter into include/utils/array_utils.php.

function Override_value_to_string_recursive2 ($array _name, $value _name, $value, $save _empty = True) {
if (Is_array ($value)) {
$str = ';
$newArrayName = $array _name. "[' $value _name ']";
foreach ($value as $key => $val) {
$str. = Override_value_to_string_recursive2 ($newArrayName, $key, $val, $save _empty);
}
return $str;
} else {
if (! $save _empty && Empty ($value)) {
Return
}else{
Return "\$ $array _name". "[' $value _name '] =". Var_export ($value, True). "; \ n";
}
}
}

You can see this is a common one. Converts a variable of an array type to a string, and the last $THIS_CONIFG changes to:

<?php
/***connector source***/
$config [' name '] = ' insideview& #169; ';
$config [' order '] = 65;
$config [' Properties '] ['] []. Phpinfo (). '] = ' 1 ';
This assignment to the variable $config_str

POC execution

Back in the Saveconfig () function, the program finally executes

File_put_contents ("custom/modules/connectors/connectors/sources/{$dir}/config.php", $config _str);
Where the $dir is Ext/rest/insideview, then the final program will be custom/modules/connectors/connectors/sources/ext/rest/insideview/ Config.php writes the value of $CONFIG_STR, which in the end triggers the Phpinfo () function, resulting in code execution.
The last code written in config.php is:

<?php
$config = Array (
' Name ' => ' insideview& #169; ',
' Order ' => 65,
' Properties ' => Array (
),
);
It's been analyzed since the leak.

Repair

The fix method is simple, fix in the Override_value_to_string_recursive2 () function

function Override_value_to_string_recursive2 ($array _name, $value _name, $value, $save _empty = True) {
$quoted _vname = Var_export ($value _name, true);
if (Is_array ($value)) {
$str = ';
$newArrayName = $array _name. "[$quoted _vname]";
foreach ($value as $key => $val) {
$str. = Override_value_to_string_recursive2 ($newArrayName, $key, $val, $save _empty);
}
return $str;
} else {
if (! $save _empty && Empty ($value)) {
Return
}else{
Return "\$ $array _name". "[$quoted _vname] =". Var_export ($value, True). "; \ n";
}
}
}

The fix code uses the Var_export () function to represent a string of $value_name variables. After writing this, the final value of getting $config_str is

<?php
/***connector source***/
$config [' name '] = ' insideview& #169; ';
$config [' order '] = 65;
$config [' Properties '] ['] ['] phpinfo (). \ '] = ' 1 ';
The code above can be written to the file normally without triggering the execution of the code.

Summarize

Through the step-by-step debugging method, the vulnerability can be more thorough understanding, through this vulnerability also increased their ability to debug vulnerabilities.