- 🔍 SonicWall Capture Labs identified a deserialization vulnerability in Artica Proxy, affecting versions 4.50 and earlier, with an expected score of 9.8 (CVE-2024-2054).
- 🌐 The vulnerability allows unauthenticated users to execute code under the “www-data” user account via the administrative web interface.
- 🚫 No patch is available yet, but SonicWall customers are protected through IPS signature 19786.
- 👾 Exploitation involves crafting a base64-encoded payload and leveraging PHP modules, such as the “Net_DNS2_Cache_File” destructor, to execute arbitrary code.
- 🛡️ Mitigation involves removing or relocating the vulnerable directory to reduce risk.
Overview
SonicWall Capture Labs threat research team became aware of a deserialization vulnerability with the Artica Proxy appliance, assessed its impact and developed mitigation measures. Artica Proxy is a comprehensive proxy solution performing tasks such as web filtering and categorization, SSL inspection, and bandwidth management. The vendor reports having over 100K servers installed around the world.
Identified as CVE-2024-2054, the administrative web interface allows the deserialization of any PHP objects provided by users without authentication, thereby allowing code to be executed under the “www-data” user account, earning an expected score of 9.8. This affects version 4.50 and all previous versions. While there are no reports of active exploitation currently, a publicly available PoC is provided by the Korelogic research team, and the vendor has not issued a patch yet. As a result, it is strongly encouraged that organizations follow the steps in the mitigation section below. SonicWall customers are already protected through IPS signature 19786, released on March 18th.
Technical Overview
While unauthenticated, a user can make an HTTP POST request to the “/wizard/wiz.wizard.progress.php” endpoint. This endpoint may receive the “build-js” query parameter as seen in Figure 1.
Figure 1: wiz.wizard.progress.php lines 10-16
While processing the “build-js” user input, it performs a base64 decode operation and then sends the decoded value to the “unserialize” PHP function, as seen in Figure 2.
Figure 2: wiz.wizard.progress.php buld.js function
This is the root cause of the vulnerability, as an unauthenticated attacker can control the base64 encoded input which is then directly deserialized.
Triggering the Vulnerability
To trigger this vulnerability, an attacker must send an HTTP POST request to the Artica Proxy instance with the crafted “build-js” parameter set to a base64-encoded payload. Using the public PoC code as an example, this could be accomplished using the Linux “curl” command, as shown in Figure 3.
Figure 3: Triggering the vulnerability using curl
Exploitation
While triggering the vulnerable code path is simplistic, exploitation is slightly trickier. As with most deserialization attacks, execution is limited to what modules may be installed on the system – in this case, PHP modules. An attacker must leverage these modules meaningfully to achieve the desired execution by deserializing serialized objects. When searching for a suitable object to use within the installed PHP modules, the “Net_DNS2_Cache_File” destructor within the “Net_DSN2” library stands out, as shown in Figure 4.
Figure 4: NET_DNS2_CAHCE_FILE destructor file write
When a “Net_DNS2_Cache_File” object is destroyed, it may write a file to the disk. This indicates that an attacker can leverage creating and destroying this object to write a file to the system. As PHP web shells are a common tool used by attackers, this is a likely choice for exploitation.
It is worth noting that the possibility of this destructor being leveraged by the attackers was reported in 2016 to the Net_DNS2 project on GitHub, tracked as issue 50.
Figure 5: GitHub Issue reporting vulnerable code
The Net_DNS2 project mitigated the issue several months later in 2016, however, Artica Proxy is using an outdated version of the library, which can be seen in the DNS2.inc file located on the filesystem.
Figure 6: Net_DNS2 class version on Artica Proxy
To illustrate exploitation, Figure 7 shows a segment where an unauthenticated user manages to overwrite the existing “wiz.upload.php” file. The clip first displays the original “wiz.upload.php” file and then shows the file overwritten by a simple web shell after exploitation. This is achieved by utilizing a “Net_DNS2_Cache_File” object to embed the web shell, allowing the execution of harmful PHP code under the “www-data” user account. The payload executes the “whoami” command confirming the user.
Figure 7: Successful exploitation
SonicWall Protections
To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:
- IPS: 19786 Artica Proxy PHP Deserialization
Remediation Recommendations
Unfortunately, no patch is currently available for this vulnerability. It is recommended to either remove the ‘usr/share/article-postfix/wizard’ directory (as it is not a critical component for the proxy to function properly) or move this directory outside of the web root folder. Doing so will make the vulnerable code inaccessible from the network, drastically reducing risk.
Relevant Links