Summary

SuiteCRM relies on the blacklist of functions/methods to prevent installation of malicious MLPs. But this checks can be bypassed with some syntax constructions

Details

SuiteCRM uses token_get_all to parse PHP scripts and check the resulted AST against blacklists. But it doesn't take into account all scenarios.

Impact

RCE vulnerabilities can have severe impacts on a system or application, including:

• Penetration — attackers can use RCE vulnerabilities as their first entry into a network or environment.
• Privilege escalation — in many cases, servers have internal vulnerabilities which can only be seen by those with inside access. RCE allows an attacker to discover and exploit these vulnerabilities, escalating privileges and gaining access to connected systems.
• Sensitive data exposure—RCE can be used to exfiltrate data from vulnerable systems by installing data-stealing malware or directly executing commands. This can range from simple copying of unencrypted data to memory-scraping malware that looks for credentials in system memory.
• Denial of Service (DoS)—an RCE vulnerability allows attackers to execute code on a system. This code can be used to exhaust system resources and crash the system, or to leverage the system’s resources to conduct DoS against third parties.
• Cryptomining—a common next step after exploiting RCE is to run cryptomining or cryptojacking malware that uses the computing resources of an infected device to mine cryptocurrencies, to the financial benefit of the attacker.
• Ransomware—possibly the most dangerous consequence of RCE is that attackers can deploy ransomware on the affected application or server, and spread ransomware through the network, denying users access to their files until they pay a ransom.