<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Perfex - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/perfex/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 29 Feb 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/perfex/feed.xml" rel="self" type="application/rss+xml"/><item><title>Perfex CRM Unauthenticated Remote Code Execution via Insecure Deserialization</title><link>https://feed.craftedsignal.io/briefs/2024-02-29-perfex-rce/</link><pubDate>Thu, 29 Feb 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-02-29-perfex-rce/</guid><description>Perfex CRM is vulnerable to unauthenticated remote code execution (RCE) due to an autologin cookie being fed into unserialize().</description><content:encoded><![CDATA[<p>Perfex CRM, a customer relationship management software, is susceptible to an unauthenticated remote code execution vulnerability. This vulnerability stems from the application's handling of autologin cookies. The autologin cookie is directly passed into PHP's <code>unserialize()</code> function without proper sanitization. This allows an attacker to inject arbitrary PHP objects into the application's context, leading to remote code execution. This vulnerability allows unauthenticated attackers to execute arbitrary code on the server. Given the widespread use of CRM software and the ease of exploitation, this vulnerability poses a significant risk to organizations using Perfex CRM.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a Perfex CRM instance exposed to the internet.</li>
<li>The attacker crafts a malicious PHP object designed to execute arbitrary code. This object could leverage existing classes within the Perfex CRM codebase, or potentially utilize PHP's built-in functions for code execution.</li>
<li>The malicious PHP object is serialized using PHP's <code>serialize()</code> function.</li>
<li>The serialized object is base64 encoded.</li>
<li>The base64 encoded string is set as the value of the <code>autologin</code> cookie in an HTTP request.</li>
<li>The attacker sends the crafted HTTP request to the Perfex CRM instance, targeting a page that processes the <code>autologin</code> cookie.</li>
<li>The Perfex CRM application receives the request and passes the value of the <code>autologin</code> cookie directly to the <code>unserialize()</code> function.</li>
<li>The <code>unserialize()</code> function reconstructs the malicious PHP object, triggering the execution of the attacker's arbitrary code. This can lead to complete system compromise, including data exfiltration, installation of malware, or defacement of the CRM system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows unauthenticated attackers to execute arbitrary code on the server hosting Perfex CRM. This could lead to complete system compromise, including sensitive customer data exfiltration, installation of ransomware, or defacement of the CRM system. Organizations using vulnerable Perfex CRM instances are at high risk of data breaches, financial loss, and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Inspect web server logs for requests with unusually long <code>autologin</code> cookie values to identify potential exploitation attempts (reference: web server logs).</li>
<li>Deploy the provided Sigma rule to detect exploitation attempts based on the structure of the <code>autologin</code> cookie (reference: Sigma rule).</li>
<li>Implement input validation on the <code>autologin</code> cookie to prevent the injection of serialized PHP objects (reference: vulnerability details).</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>perfex-crm</category><category>rce</category><category>insecure-deserialization</category><category>php</category></item></channel></rss>