Citrix XenMobile目录遍历漏洞分析(CVE-2020-8209)

0x00 前言

漏洞复现见本人github上:https://github.com/ybdt/poc-hub/tree/master/2020_11_18_Citrix%20XenMobile目录遍历漏洞复现(CVE-2020-8209)

0x01 静态分析

漏洞文件help-sb-download.jsp,代码如下

<%
    String sbFilePath="/opt/sas/support/";
    int length = 0;

    String sbFileName=(String)request.getParameter("sbFileName");

    ServletOutputStream outStream = response.getOutputStream();
    response.setHeader("Set-Cookie","fileDownload=true; path=/");
    response.setContentType("application/octet-stream");
    response.setHeader("Content-Disposition", "attachment; filename=\"" + sbFileName + '"');


    File file = new File(sbFilePath+sbFileName);
    byte[] byteBuffer = new byte[4096];
    DataInputStream in = new DataInputStream(new FileInputStream(file));

    while((in != null) && ((length =in.read(byteBuffer)) != -1))
    {
        outStream.write(byteBuffer,0,length);

    }

    in.close();
    outStream.flush();

%>

由上述代码可知,以get方式获取的参数sbFileName的值,和已知路径“/opt/sas/support”进行了拼接(所以漏洞利用要向上回溯3层来回到根目录),然后没有任何过滤的读取拼接后的文件内容并输出

0x02 动态分析

0x03 参考链接