CVE-2021-35975 PoC — Systematica Radius 安全漏洞

Source

Associated Vulnerability

Description

Path Traversal Vulnerability in Systematica SMTP Adapter and other sub-products

Readme

# CVE-2021-35975

Systematica SMTP Adapter versions prior to v2.0.1.101 are vulnerable to directory traversal, which may allow an attacker to read sensitive files.

CVSS v2: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS v2 Score (BS): 3

CVSS v3: (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVSS v3 Score (BS): 3.0


# Information

<b>Description:</b> Absolute path traversal vulnerability in the Systematica SMTP Adapter component (up to v2.0.1.101) in Systematica Radius (up to v.3.9.256.777) allows remote attackers to read arbitrary files via a full pathname in GET parameter "file" in URL. 

Also: affected components in same product - HTTP Adapter (up to v.1.8.0.15), MSSQL MessageBus Proxy (up to v.1.1.06), Financial Calculator (up to v.1.3.05), FIX Adapter (up to v.2.4.0.25)

<b>Class:</b> Design Error 

<b>Researcher:</b> Vadim Golovanov

<b>Issue date:</b> 2021-05-29 (Initial Advisory)

<b>Private release:</b> 2021-06-30

<b>Public release:</b> 2021-08-21

<b>Disclosure Link:</b>

<b>NIST CVE Link:</b>

<b>CWE:</b> 22 or 36 - Absolute Path Traversal

# POC

<b>An example of vector:<b/>
  
SMTP adapter              http://SERVER:PORT/info?page=logfile&file=C:/windows/win.ini
  
ALSO ACTUAL FOR:

HTTP adapter, MSSQL MessageBus Proxy, Financial Calculator, FIX Adapter and others...


<b>POST RE-FINDING CVE:<b/>

<b>CVE-2022-39838</b> https://github.com/jet-pentest/CVE-2022-39838
  
# Screenshots:
  
![](CVE_2021_35975_1.png)

![](CVE_2021_35975_2.png)

File Snapshot

 [4.0K]  /data/pocs/2a8f0698e5796a79b7ace92d042b78c118c02a7e
├── [ 98K]  CVE_2021_35975_1.png
├── [ 22K]  CVE_2021_35975_2.png
└── [1.4K]  README.md

0 directories, 3 files

Remarks