LANDesk ThinkManagement Suite ServerSetup.asmx Directory Traversal

Added: 04/27/2012
CVE: CVE-2012-1195
BID: 52023
OSVDB: 79276

Background

LANDesk Lenovo ThinkManagement Console provides hardware discovery, comprehensive inventory, and reporting for Lenovo systems.

Problem

LANDesk Lenovo ThinkManagement Console runs a web application under the Microsoft IIS web server. This web application exposes some web services that do not require authentication. In versions up to 9.0.3, the ‘ServerSetup.asmx’ web service, which is accessible without authentication, is vulnerable to a file upload vulnerability. This can be exploited by an attacker to upload a malicious server-side script to the server, then request it via the web interface, causing its contents to be executed on the server. This allows the attacker control execution on the server.

Resolution

No updates are available at this time. Limit network access to the LANDesk Lenovo ThinkManagement Console to hosts to administrators only.

References

<http://secunia.com/advisories/47666&gt;
<http://retrogod.altervista.org/9sg_landesk_adv.htm&gt;
<http://community.landesk.com/support/docs/DOC-24787&gt;

Limitations

This exploit has been tested against LANDesk Lenovo ThinkManagement Suite 9.0.2 on Windows Server 2003 SP2 English (DEP OptOut). After successful exploitation, a file will be uploaded to /upl/exploit.asp on the server. When executed, a randomly named .EXE file will be created in the filesystem root. Both files should be manually removed after exploitation.

Platforms

Windows