Unpatched PHP Deserialization Vulnerability in Artica Proxy

By

Overview

SonicWall Capture Labs threat research team became aware of a deserialization vulnerability with the Artica Proxy appliance, assessed its impact and developed mitigation measures. Artica Proxy is a comprehensive proxy solution performing tasks such as web filtering and categorization, SSL inspection, and bandwidth management. The vendor reports having over 100K servers installed around the world.

Identified as CVE-2024-2054, the administrative web interface allows the deserialization of any PHP objects provided by users without authentication, thereby allowing code to be executed under the “www-data” user account, earning an expected score of 9.8. This affects version 4.50 and all previous versions. While there are no reports of active exploitation currently, a publicly available PoC is provided by the Korelogic research team, and the vendor has not issued a patch yet. As a result, it is strongly encouraged that organizations follow the steps in the mitigation section below. SonicWall customers are already protected through IPS signature 19786, released on March 18th.

Technical Overview

While unauthenticated, a user can make an HTTP POST request to the “/wizard/wiz.wizard.progress.php” endpoint. This endpoint may receive the “build-js” query parameter as seen in Figure 1.

Figure 1: wiz.wizard.progress.php lines 10-16

While processing the “build-js” user input, it performs a base64 decode operation and then sends the decoded value to the “unserialize” PHP function, as seen in Figure 2.

Figure 2: wiz.wizard.progress.php buld.js function

This is the root cause of the vulnerability, as an unauthenticated attacker can control the base64 encoded input which is then directly deserialized.

Triggering the Vulnerability

To trigger this vulnerability, an attacker must send an HTTP POST request to the Artica Proxy instance with the crafted “build-js” parameter set to a base64-encoded payload. Using the public PoC code as an example, this could be accomplished using the Linux “curl” command, as shown in Figure 3.

Figure 3: Triggering the vulnerability using curl

Exploitation

While triggering the vulnerable code path is simplistic, exploitation is slightly trickier. As with most deserialization attacks, execution is limited to what modules may be installed on the system – in this case, PHP modules. An attacker must leverage these modules meaningfully to achieve the desired execution by deserializing serialized objects. When searching for a suitable object to use within the installed PHP modules, the “Net_DNS2_Cache_File” destructor within the “Net_DSN2” library stands out, as shown in Figure 4.

Figure 4: NET_DNS2_CAHCE_FILE destructor file write

When a “Net_DNS2_Cache_File” object is destroyed, it may write a file to the disk. This indicates that an attacker can leverage creating and destroying this object to write a file to the system.  As PHP web shells are a common tool used by attackers, this is a likely choice for exploitation.

It is worth noting that the possibility of this destructor being leveraged by the attackers was reported in 2016 to the Net_DNS2 project on GitHub, tracked as issue 50.

Figure 5: GitHub Issue reporting vulnerable code

The Net_DNS2 project mitigated the issue several months later in 2016, however, Artica Proxy is using an outdated version of the library, which can be seen in the DNS2.inc file located on the filesystem.

Figure 6: Net_DNS2 class version on Artica Proxy

To illustrate exploitation, Figure 7 shows a segment where an unauthenticated user manages to overwrite the existing “wiz.upload.php” file.  The clip first displays the original “wiz.upload.php” file and then shows the file overwritten by a simple web shell after exploitation.  This is achieved by utilizing a “Net_DNS2_Cache_File” object to embed the web shell, allowing the execution of harmful PHP code under the “www-data” user account.  The payload executes the “whoami” command confirming the user.

Figure 7: Successful exploitation

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 19786 Artica Proxy PHP Deserialization

Remediation Recommendations

Unfortunately, no patch is currently available for this vulnerability. It is recommended to either remove the ‘usr/share/article-postfix/wizard’ directory (as it is not a critical component for the proxy to function properly) or move this directory outside of the web root folder. Doing so will make the vulnerable code inaccessible from the network, drastically reducing risk.

Relevant Links

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.