CVE-2020-17505
published 2020-08-12CVE-2020-17505: Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are…
PriorityP188high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
82.16%
99.6th percentile
Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| articatech | web_proxy | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandGET /fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;↗
- →Detect auth bypass attempt: HTTP GET to /fw.login.php with 'apikey' parameter containing a UNION SELECT SQL injection payload and a base64-encoded session cookie value. ↗
- →Detect command injection attempt: HTTP GET to /cyrus.index.php with 'service-cmds-peform' parameter containing pipe-delimited OS commands (e.g., ||whoami||). ↗
- →Response body indicators of successful exploitation include the strings 'array(2)', 'Position: ||whoami||', and 'root' all present simultaneously. ↗
- →The injected commands in the 'service-cmds' / 'service-cmds-peform' parameter are executed with root privileges via the internal function service_cmds_peform. ↗
- ·The auth bypass (Step 1) uses a SQL UNION injection in the 'apikey' parameter of /fw.login.php to set a crafted session cookie, allowing unauthenticated access to the command injection endpoint. Both steps must be chained for unauthenticated RCE. ↗
- ·The vulnerability affects Artica Web Proxy version 4.30.000000 specifically, running as a virtual appliance where the web process has root privileges. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m3f9-9cw6-5ccj: Artica Web Proxy 4
ghsa_unreviewed·2022-05-24
CVE-2020-17505 [HIGH] CWE-78 GHSA-m3f9-9cw6-5ccj: Artica Web Proxy 4
Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
VulnCheck
articatech web_proxy Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 8.8
CVE-2020-17505 [HIGH] articatech web_proxy Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
articatech web_proxy Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
Affected: articatech web_proxy
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2020-17505; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-23&host_type=src&vulnerability=cve-2020-17505;
No detection rules found.
Metasploit
Artica proxy 4.30.000000 Auth Bypass service-cmds-peform Command Injection
metasploit
Artica proxy 4.30.000000 Auth Bypass service-cmds-peform Command Injection
Artica proxy 4.30.000000 Auth Bypass service-cmds-peform Command Injection
This module exploits an authenticated command injection vulnerability in Artica Proxy, combined with an authentication bypass discovered on the same version, it is possible to trigger the vulnerability without knowing the credentials. The application runs in virtual appliance, successful exploitation of this vulnerability yields remote code execution as root on the remote system.
Nuclei
Artica Web Proxy 4.30 - OS Command Injection
nuclei·CVSS 8.8
CVE-2020-17505 [HIGH] Artica Web Proxy 4.30 - OS Command Injection
Artica Web Proxy 4.30 - OS Command Injection
Artica Web Proxy 4.30 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
Template:
id: CVE-2020-17505
info:
name: Artica Web Proxy 4.30 - OS Command Injection
author: dwisiswant0
severity: high
description: Artica Web Proxy 4.30 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized remote code execution, compromising the confidentiality, integrity, and availability of the affected system.
remediation: |
Upgrade to a
Nuclei
Artica Web Proxy Security Checks
nuclei·CVSS 8.8
CVE-2020-17505 [HIGH] Artica Web Proxy Security Checks
Artica Web Proxy Security Checks
A simple workflow that runs all Artica Web Proxy related nuclei templates on a given target.
Template:
id: artica-web-proxy-workflow
info:
name: Artica Web Proxy Security Checks
author: dwisiswant0,pdteam
description: A simple workflow that runs all Artica Web Proxy related nuclei templates on a given target.
workflows:
- template: http/technologies/artica-web-proxy-detect.yaml
subtemplates:
- template: http/cves/2020/CVE-2020-17505.yaml
http://packetstormsecurity.com/files/159267/Artica-Proxy-4.30.000000-Authentication-Bypass-Command-Injection.htmlhttps://blog.max0x4141.com/post/artica_proxy/http://packetstormsecurity.com/files/159267/Artica-Proxy-4.30.000000-Authentication-Bypass-Command-Injection.htmlhttps://blog.max0x4141.com/post/artica_proxy/
2020-08-12
Published
Exploited in the wild