poniedziałek, 9 marca 2020

RCE in Artica 4.26

Last time I found RCE bug in an old Artica Proxy. This time I decided to check the latest one. Below you will find few results. Here we go...
Today we will start here:


Yep, this is postauth RCE so to continue you'll need password of the admin user (in this case - "Manager").

As you will see below to achieve RCE in latest version we need to go to the Dashboard (as logged-in admin user) and click 'Change' to change the hostname, like this:

Cool. But you won't see your asd3 file in /tmp/ now. ;)

(Just like before I opened log files to see if there will be a hint for me ;)


To get things done, now you need to go to the DNS -> Hosts file and Build the file. Remember that you'll need to wait a little bit for the application to refresh (after each of those requests). Approximate time to get a shell when you have a valid credentials is 60 seconds.

Next I decided to use some oneliner. The case was I couldn't use a quick (and valid one) so I prepared a bash-oneliner as a shell-script (in my Kali/Apache server). Next thing was to wget it and run with bash -interactive ;]


Hostname is edited so now it's time to "Build the file" ;) Let's do it (with netcat listening on port 443):

I think that's all for now. ;)

See you next time!


** working poc will be disclosed only to patronite/donate users ;) 
...but I believe it's pretty simple to write it if you want it... ;>

Brak komentarzy:

Prześlij komentarz