Share
## https://sploitus.com/exploit?id=1337DAY-ID-36713
Product:                                              Artica Proxy VMWare Appliance
Vendor/Manufacturer:                 ArticaTech (https://www.articatech.com)
Affected Version(s):                       4.30.000000 <=[SP273]
Tested Version(s):                          4.30.000000 [SP273]
Vulnerability Type:                         Relative path traversal [CWE-23], Improper Limitation of a Pathname to a restricted Directory [CWE-22], [CWE 35], [CWE 36], [CAPEC-126]
CVSS v3.1 Risk Level:                     High
CVSS v3.1 Risk Score:                     8.1
CVSS v3.1 Vector:                           CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS v3.0 Risk Level:                     High
CVSS v3.0 Risk Score:                     8.1
CVSS v3.0 Vector:                           CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS v2.0 Risk Level:                     High
CVSS v2.0 Base Score:                   7.8
CVSS v2.0 Temporal Score:          6.1
CVSS v2.0 Vector:                            CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N
CVSS v2.0 Temporal Vector:       CVSS2#E:POC/RL:OF/RC:C
Solution Status:                                Fixed in Version 4.30.000000 [SP273]
Manufacturer Notification:         5th July 2021
Solution Date:                                  9th August 2021
Public Disclosure:                            26.08.2021
CVE Reference:
Author of Advisory:                        Heiko Feldhusen, Rheinmetall Cyber Solutions GmbH

####----####----####----####----####----####----####----####----####----####----

Vendor-Description:

Artica Tech is a new French Software Publisher, an independant company, established in 2012.
It is based near Paris in France.
Artica project began in 2004 and stemmed from ideas about how to improve the Open Source security
solutions available at the time, which were difficult and often expensive to implement and maintain
Artica claim to provide a user-friendly Web interface.
Today, with around 100.000 servers installed worldwide, Artica solutions are as relevant
to small and medium-sized entreprises as they are to the largest of firms.

Source:
https://www.articatech.com/about-artica.php


####----####----####----####----####----####----####----####----####----####----

Product-Description:

Artica V4 is an appliance based on Debian 10 Operating system.
Your can install it on the Hardware or Virtual Machine of your choice and get a Web Gateway
appliance within minutes.

Artica embeds technologies such as

    Antivirus,
    URL Filtering,
    Web HTTP Proxy,
    Web Caching,
    Web Secure Proxy,
    SSH Gateway/Proxy,
    RDP Reverse Proxy,
    Firewall,
    SSL Inspection,
    Kerberos Authentication,
    Access Logging,
    Bandwidth Shaping,
    HTTP Compression,
    WAF (Web Application Firewall),
    Web traffic Load Balancing.

Artica-Proxy claim to offer a full HTTP/HTTPS/FTP/SSH/RDP/VNC proxy infrastructure.

Source:
http://articatech.net/about-proxy.php

####----####----####----####----####----####----####----####----####----####----

Vulnerability Details:

The software uses external input to construct a pathname that should be within a restricted directory,
but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.


This vulnerability allows to use the Web-filtering page to read any file on the system.


This vulnerability exists in the used cgi function, which is a build in part of the proxy.
This board has a security flaw in the CGI main.cgi that lets an attacker read arbitrary files with the privileges of the http daemon (usually root or nobody).
We were able to read the passwd, so we assume the http deamon runs with root-priviledges.


Source:
https://cwe.mitre.org/data/definitions/23.html

####----####----####----####----####----####----####----####----####----####----

Proof of Concept (PoC):
http://yourproxynamehere/cgi-bin/main.cgi? filename=/../../../../../../../../etc/passwd


####----####----####----####----####----####----####----####----####----####----

Solution:
Fix provided from Artica Tech.
Update to Version 4.30.000000 [SP273]
####----####----####----####----####----####----####----####----####----####----

Disclosure Timeline:

2021-06-28: Vulnerability discovered
2021-07-05: Vulnerability reported to manufacturer
2021-07-07: Patch released by manufacturer
2021-08-26: Public disclosure of vulnerability

#  0day.today [2021-09-17]  #