Dolibarr ERP/CRM OS Command Injection (CVE-2023-30253) Exploit Publicly Available

A public exploit has been published for CVE-2023-30253, an OS Command Injection vulnerability affecting Dolibarr ERP/CRM versions prior to 17.0.1. Discovered by Swascan (now Hacktivesecurity) in May 2023, the vulnerability resides in the Website/CMS module, allowing authenticated users to inject PHP code and execute arbitrary commands. An attacker can leverage this vulnerability to gain a reverse shell as the www-data user. The availability of a working exploit significantly increases the risk to unpatched Dolibarr ERP/CRM instances. The exploit uses specifically crafted HTTP POST requests to create a website, create a page within that website, inject malicious PHP code into the page content, and then trigger the execution of the injected code.

Attack Chain

1. Attacker authenticates to the Dolibarr ERP/CRM instance, obtaining session cookies and a CSRF token.
2. Attacker crafts a POST request to /website/index.php?action=createsite to create a new website with parameters such as WEBSITE_REF and WEBSITE_TITLE.
3. Attacker creates a page within the newly created website by sending a POST request to /website/index.php?website=misitio with parameters WEBSITE_TYPE_CONTAINER and WEBSITE_TITLE.
4. The attacker injects malicious PHP code into the page content by sending a POST request to /website/index.php?website=misitio&pageid=1&action=editsource. The injected code contains a PHP reverse shell payload. The PAGE_CONTENT parameter contains the injected PHP code.
5. The attacker triggers the execution of the injected PHP code by accessing the crafted URL: /public/website/index.php?website=misitio&pageref=misitio.
6. The injected PHP code executes, creating a reverse shell connection back to the attacker’s designated lhost and lport (e.g., 10.10.14.5:4444).
7. The attacker gains shell access with the privileges of the www-data user.

Impact

Successful exploitation of CVE-2023-30253 allows an attacker to execute arbitrary OS commands on the Dolibarr ERP/CRM server. This can lead to complete system compromise, including data theft, modification, and denial of service. Since ERP/CRM systems often contain sensitive business data, the impact can be significant. While the number of affected organizations is not specified, any Dolibarr ERP/CRM instance running a version prior to 17.0.1 is vulnerable.

Recommendation

• Apply the patch by upgrading to Dolibarr version 17.0.1 or later to address CVE-2023-30253.
• Monitor web server logs for POST requests to /website/index.php with suspicious PAGE_CONTENT parameters containing PHP code, as described in the Attack Chain.
• Monitor network connections for outbound connections from the web server to unusual IPs and ports, which could indicate a reverse shell, using a network monitoring solution.