SugarCRM PHP Object Injection Vulnerability Allowing Arbitrary Code Execution

A PHP object injection vulnerability has been identified in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0. The vulnerability arises from improper validation of PHP serialized input in the SugarRestSerialize.php script, where the rest_data parameter is not adequately sanitized before being passed to the unserialize() function. This flaw enables an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, leading to arbitrary code execution within the application's context. Although SugarCRM released a previous fix in advisory sugarcrm-sa-2016-001, it was incomplete and failed to address all vectors of exploitation.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, executed with the permissions of the web server user.

Reproduction

The vulnerability can be reproduced by sending a POST request to 'service/v4/rest.php' with a crafted 'rest_data' parameter that includes serialized PHP objects. The 'method' parameter must be set to 'login' and 'input_type' to 'Serialize'. The crafted serialized data should be designed to exploit the unserialize() function, injecting objects that can be manipulated to execute arbitrary PHP code.

Remediation

Users are advised to upgrade to SugarCRM versions 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, or 7.7.1.0. On-Site customers should consult the 'Installation and Upgrade Guide' for specific upgrade paths, while SugarCRM On-Demand customers will receive the upgrade automatically.