Enjay CRM 1.0 - Multiple code executions via Unrestricted Terminal

 


Enjay CRM is a collection which contains the CRM software along with Linux Ubuntu, however normal user don't have access to the underlying OS. Once the OS boots its runs the Enjay CRM software which has multiple read-only options. 

However some of these options opens a terminal to perform a specific activity, This terminal is unrestricted and user can access the underlying OS as a ROOT and can run any command on OS.

Underlying OS can be accessed using two methods; Also CVEs are assigned to these findings.

1. Using Ping menu (CVE-2024-41308): it will open a terminal and user can click on File menu -> New Tab/New window. And root level terminal will be open.

2. Using Hardware info (CVE-2024-41309): Once the Hardware info page opens click on Help menu and either select "Open HardInfo Website" or "Report bug", it will open an unrestricted terminal where user can click on File menu -> New Tab/New window. And root level terminal will be open.

Both the vulnerabilities are closed in latest version of CRM OS 1.1 and latest.

Enjay CRM interface:


------------------------------------------Method # 1----------------------------------------------------
Technical Details:

1. Terminal Access with Ping menu:

The software's feature to ping a host inadvertently allows users to escape the restricted terminal environment, granting unauthorized access to the underlying operating system or full terminal access.

Click on Ping Button input any IP and number of pings.


Once user click on Ping button it will open a terminal which can be escaped and New terminal can be open as a root permission as shown below.


And it will open another terminal as shown below.



------------------------------------------Method # 2----------------------------------------------------

Technical Details:

2. Terminal Access with Hardware info menu:

The Software allow readonly access to check the OS/Hardware and other information using Hardinfo software, However there an option of "reporting bug" or "opening Hardinfo website". Since there is no browser installed in the OS these option by default opens the terminal using it we can access the restricted terminal.


Click on Hardware info it will popup the info software. Click on Hardinfo website or Report bug.

It will open the Terminal, in this terminal user can click on File menu -> New Tab/New window. And root level terminal will be open.


Root terminal is opened.


Thanks

Comments

Popular posts from this blog

Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)

NetSkope Unauthenticated CSV Injection in Admin UI (CVE-2020-28845)