Potential Security Iissue where where NAM admin download system files from Admin Console host via code promotion URL

  • 7018541
  • 27-Jan-2017
  • 31-Jan-2017

Environment

NetIQ Access Manager 4.2

Situation

A file download vulnerability exists in the Admin Console that would allow a NAM admin user download any file from the Admin Console host using the following code promotion URL

https://<$admin_console_ipaddr>:8443/roma/system/cntl?handler=staging&actionCmd=download&stagingfile=../../../../../../../../../../etc/passwd

This does not happen in 4.3.

Resolution

Apply 4.2.3.

The download request is validated for the file name and path traversal is blocked. The following message is now returned:

Requested config was not returned. File name is null or is invalid - ../../../../../etc/passwd

This type of a crafted URL throws an exception in catalina logs:

https://<adminconsole-ip>:8443/roma/system/cntl?handler=staging&actionCmd=download&stagingfile=NAMExportedConfig_2017-01-16_1249.namcfg/../../../../../etc/passwd

Returning exported config to the browser: NAMExportedConfig_2017-01-16_1249.namcfg/../../../../../etc/passwd
java.io.FileNotFoundException: ./namconfig/NAMExportedConfig_2017-01-16_1249.namcfg/../../../../../etc/passwd (Not a directory)
        at java.io.FileInputStream.open0(Native Method)
        at java.io.FileInputStream.open(FileInputStream.java:195)
        at java.io.FileInputStream.<init>(FileInputStream.java:138)
        at java.io.FileInputStream.<init>(FileInputStream.java:93)
        at com.netiq.nam.staging.handler.StagingHandler.Ì(y:412)
        at com.netiq.nam.staging.handler.StagingHandler.processRequest(y:2547)
        at com.volera.roma.servlet.GenericController.doGet(y:743)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:624

Feedback service temporarily unavailable. For content questions or problems, please contact Support.