Ivanti_Avalanche目录便利任意文件漏洞读取-棉花糖会员站

# Ivanti Avalanche目录便利任意文件漏洞读取

## 漏洞描述

Ivanti Avalanche是美国Ivanti公司的一套企业移动设备管理系统。该系统主要用于管理智能手机、平板电脑等设备。该漏洞存在于读取存储的头像图片位置，未进行限制格式与目录，造成了任意文件读取。

## 漏洞影响

> Avalanche Premise 6.3.2 for Windows v6.3.2.3490

## 关键代码

“`
String paramImageFilePath = request.getParameter(“imageFilePath”); // vulnerable GET parameter
boolean cacheImage = true;
String parameterIcon = request.getParameter(“icon”);
if (paramImageFilePath != null) {
File imageFile = new File(paramImageFilePath); // reading from user-input path
byte[] icon = FileUtils.readFileToByteArray(imageFile);
String queryString = request.getQueryString();
if (icon != null && icon.length > 0) {
handleIcon(response, icon, queryString, false); // outputting the contents
} else {
logger.warn(String.format(“ImageServlet::missing icon for device(%s)”, new Object[] {
queryString
}));
}
…
private void handleIcon(HttpServletResponse response, byte[] icon, String imageSource, boolean cacheImage) throws IOException {
response.setContentLength(icon.length);
if (cacheImage) {
HttpUtils.expiresOneWeek(response);
} else {
HttpUtils.expiresNow(response);
}
ImageInputStream inputStream = ImageIO.createImageInputStream(new ByteArrayInputStream(icon));
try {
Iterator < ImageReader > imageReaders = ImageIO.getImageReaders(inputStream);
if (imageReaders.hasNext()) {
ImageReader reader = imageReaders.next();
String formatName = reader.getFormatName();
response.setContentType(String.format(“image/%s”, new Object[] {
formatName
}));
} else {
logger.warn(String.format(“ImageServlet::unknown image format for (%s)”, new Object[] {
imageSource
}));
}
} finally {
try {
inputStream.close();
} catch (IOException iOException) {}
}
ServletOutputStream outputStream = response.getOutputStream();
outputStream.write(icon); // outputting the contents of the file
}
“`