wtorek, 29 stycznia 2019

RCE in Artica

Last time somewhere online I found Kaspersky Proxy Server ISO. It was a little surprise for me when I saw that this 'appliance' is based on Artica Proxy. Below you will find few details from the journey...

We should start here:

After your installation, machine should be ready to boot:

We are here:

As you will see in that menu, there is already a 'default password' but we will get to that later. ;)

It's time to switch the proxy in the browser... I used Burp Suite. You should be here:


LDAP injection? ;) I will leave it to you as an exercise ;)

Using default credentials to check the panel:

After a while I was checking some settings available on the appliance. That's how I found 'eMail notifications' section where you can define 'parameters'. I tried my own values:

And that worked :) File was created in /tmp/ directory. So I decided to try something else. Now our 'values' for email settings looks like this:


Cool, we got root! :)

At this stage I decided to check for more 'latest' VM. I found that Artica (is not a 'part of Kaspersky' and) released 'new version' at SourceForge - here:

I was wondering if I can achieve similar results for that ('latest') version. Checking:


That's more like it:

Password was the same (just like for the prior version) but login changed to 'Manager' so I tried to go directly to SMTP settings to check if I'll be able to inject my commands again... No luck this time...

...but I found that in Artica (3.06) you will have a nice webshell after you are logged-in :)


Great, rooted again. :)

Conclusion: cool bug but we still need a valid credentials to use it, right?

Nope :) It's time to use some Nippur-resources ;)

To verify:

Now you got it. So even if admin will change default password, you still can read it remotely. :)

Remember to check the bug only in your local environment - not at the Shodan ;)
Do not use it for illegal purposes.


Brak komentarzy:

Prześlij komentarz