Kiteworks Totemomail versions 7.x and 8.x before 8.3. have been found to contain a directory traversal vulnerability, specifically CVE-2024-28064, that allows unauthenticated file read, write, and delete operations using the /responsiveUI/EnvelopeOpenServlet messageId feature. This post aims to provide information about the vulnerability and its exploitation in detail, along with relevant code snippets and links to the original references.
Description of Vulnerability
The issue occurs because the affected Kiteworks Totemomail versions do not properly validate user input provided in the "messageId" parameter within HTTP requests sent to the /responsiveUI/EnvelopeOpenServlet servlet. As a result, an attacker can exploit this vulnerability to perform file read and delete operations via displayLoginChunkedImages, as well as file write operations via storeLoginChunkedImages.
Exploitation Details
To demonstrate the exploitation of this vulnerability, consider the following example code snippet that allows the attacker to retrieve the content of a file by traversing directories:
http://TARGET/responsiveUI/EnvelopeOpenServlet?read=true&displayLoginChunkedImages=
../../../../../../../../../../../etc/passwd%00,messageId=123
In this case, the target server will receive a request containing a directory traversal string (../../../../../../../../../../../etc/passwd%00). Consequently, if the server is vulnerable, it will return the content of the file located at "/etc/passwd".
Another example to demonstrate file delete operations
http://TARGET/responsiveUI/EnvelopeOpenServlet?read=true&displayLoginChunkedImages=
../../../../../../../../../../../path/to/file/toBeDeleted%00,messageId=123
In this case, the request similarly contains a directory traversal string (../../../../../../../../../../../path/to/file/toBeDeleted%00) that points to the file that the attacker intends to delete. If the server is vulnerable, it will result in the deletion of the specified file.
And finally, to demonstrate file write operations
http://TARGET/responsiveUI/EnvelopeOpenServlet?read=true&storeLoginChunkedImages=
../../../../../../../../../../../path/to/directory/,messageId=123
Similar to the previous examples, this request contains a directory traversal string (../../../../../../../../../../../path/to/directory/) that points to the directory where the attacker intends to write information. If the server is vulnerable, it will result in the attacker being able to write data to the specified directory.
How to Mitigate the Vulnerability
In order to fix the vulnerability, it is highly recommended to update the affected Totemomail versions 7.x and 8.x to the latest release (version 8.3.).
For more information and details about the vulnerability, please consult the original sources below
1. CVE-2024-28064 - https://nvd.nist.gov/vuln/detail/CVE-2024-28064
2. Kiteworks Security Advisory - https://www.kiteworks.com/totemomail/security-advisory/
3. OWASP Directory Traversal Guide - https://cheatsheetseries.owasp.org/cheatsheets/Path_Traversal_Prevention_Cheat_Sheet.html
Conclusion
In this post, we have discussed the directory traversal vulnerability (CVE-2024-28064) present in Kiteworks Totemomail versions 7.x and 8.x prior to 8.3.. We have also demonstrated how the vulnerability can be exploited by an attacker and provided guidance on how to mitigate the vulnerability. It is crucial to keep software up to date to protect against known vulnerabilities and ensure the security of your systems.
Timeline
Published on: 05/18/2024 22:15:07 UTC
Last modified on: 08/02/2024 00:48:48 UTC