Ozeki SMS Gateway 10.3.208 - Arbitrary File Read (Unauthenticated)

Exploiting Arbitrary File Read Vulnerability in Ozeki SMS Gateway 10.3.208 (Unauthenticated)

On August 1, 2023, cybersecurity researcher Ahmet Ümit Bayram disclosed a critical vulnerability in Ozeki SMS Gateway 10.3.208, a widely used messaging platform for enterprise SMS communication. The flaw, identified as Arbitrary File Read (Unauthenticated), allows attackers to access sensitive system files without requiring any form of authentication. This poses a severe risk to organizations relying on this software for internal communications, especially in environments where default configurations are not properly secured.

Understanding the Vulnerability

The core issue lies in improper handling of path traversal in the web interface of Ozeki SMS Gateway. Specifically, the application exposes a web endpoint that processes file requests without validating or sanitizing user input. This enables attackers to craft malicious URLs using directory traversal sequences such as ..%252f..%252f..%252f—a URL-encoded version of ../../.

When an attacker sends a request to https://localhost:9515/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/win.ini, the server interprets this as a request to read the win.ini file located in the Windows system directory. This file, though outdated, contains valuable information about system configuration, including user profiles, installed software, and registry settings.

curl https://localhost:9515/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/win.ini

This simple curl command demonstrates how an unauthenticated attacker can retrieve system-level data. The absence of authentication requirements makes this exploit particularly dangerous, as it can be launched from any network location without prior access to the system.

Technical Analysis and Attack Surface

Directory traversal vulnerabilities are typically categorized under Path Traversal or File Inclusion in the OWASP Top 10. In this case, the Ozeki SMS Gateway’s web server fails to implement proper input validation for file paths. The lack of sanitization allows attackers to bypass security boundaries and access files outside the intended document root.

Key indicators of this vulnerability include:

• Use of URL-encoded traversal sequences (%252f instead of /) to evade basic filters.
• Exposure of sensitive system files (e.g., win.ini, system32, boot.ini) via direct access.
• Server-side processing of user-supplied file paths without checking for relative or absolute path restrictions.

Attackers can leverage this vulnerability to extract:

• System configuration details (e.g., installed applications, user accounts).
• Authentication credentials stored in configuration files (e.g., database.ini, config.xml).
• Private logs or audit trails that may reveal internal communication patterns.

Real-World Implications and Use Cases

Organizations using Ozeki SMS Gateway for automated alerts, customer notifications, or internal messaging systems are at significant risk. Even if the gateway is behind a firewall, a successful exploit can reveal internal infrastructure details that may be used in subsequent attacks.

For example, a malicious actor could:

• Extract the web.config file from the application’s root directory to discover database connection strings.
• Retrieve log.txt files to analyze user behavior and identify high-value targets.
• Access config.xml to discover API keys or encryption keys used for message encryption.

These files, if exposed, can serve as a launchpad for further exploitation—such as SQL injection, privilege escalation, or lateral movement within a network.

Exploit Mitigation and Best Practices

While vendors like Ozeki are expected to release patches, organizations must take proactive measures to mitigate risk:

• Update immediately: Upgrade to a patched version of Ozeki SMS Gateway. As of August 2023, vendors have issued security updates; verify your version is not vulnerable.
• Restrict network access: Limit access to the web interface (port 9515) to trusted IPs only. Avoid exposing the gateway directly to the internet.
• Implement WAFs: Use Web Application Firewalls (WAFs) to detect and block directory traversal attempts. Rules should flag sequences like ..%252f or ../.
• Disable unnecessary endpoints: Disable or remove unneeded web services, especially those that expose file system access.
• Monitor logs: Regularly audit server logs for suspicious requests involving path traversal.

Corrected Code Example (Security-Enhanced Request)

While the original exploit uses a direct URL, a secure implementation would reject such requests. Here’s a hypothetical corrected server-side validation in pseudo-code:

function validateFilePath(path) {
    // Normalize path
    path = path.replace(/%252f/g, '/');
    path = path.replace(/%255c/g, '\\');

    // Check for traversal sequences
    if (path.includes('..') || path.includes('..%252f')) {
        return false;
    }

    // Ensure path starts with allowed directory
    if (!path.startsWith('/webroot/') && !path.startsWith('/app/') && !path.startsWith('/logs/')) {
        return false;
    }

    // Return true only if path is within permitted scope
    return true;
}

This example illustrates how proper input validation can prevent directory traversal attacks. By restricting allowed paths and sanitizing input, developers can eliminate the risk of arbitrary file read.

Conclusion

The Ozeki SMS Gateway 10.3.208 arbitrary file read vulnerability underscores the importance of secure coding practices, especially in applications handling sensitive data. Even seemingly minor flaws—like unvalidated file paths—can lead to catastrophic breaches. Organizations must prioritize patching, network segmentation, and proactive monitoring to stay ahead of evolving threats.

As cyberattacks grow more sophisticated, the responsibility lies not only with vendors but also with system administrators to ensure that software is deployed securely and maintained rigorously.