[CVE-2019-12377] LANDesk Management Server - Arbitrary File Upload
A vulnerable web API endpoint in LDMS 10.0.1.168 Service Update 5 allows arbitrary file upload, which may lead to arbitrary remote code execution
When a LANDesk managed endpoint is reporting inventory and patch level information to the core server, it leverages a web API endpoint found at https://<coreserver>/upl/async_upload.asp. This endpoint does not properly sanitize user-provided values, which allows for an attacker to both control the uploaded file extension and the uploaded file location.
As this is an ASP.NET web page, we can simply open the file in a text editor to see the vulnerable code. I opened it using Notepad++ to take a look.
The script retrieves the filename through HTTP GET/POST parameters on the request, shown here:
It then saves the file using a fixed extension (.SCN) and a random filename, which provides some measure of security. Ideally, an attacker should not be able to control the extension or name of an uploaded file. You can see the temporary filename assignment here:
The service finally renames the file using the original filename and uploaded extension, in addition to a couple of other user-controlled parameters. This means the attacker has full control of both the extension and the name of the uploaded file. You can see this operation here:
On line 109, the script renames the uploaded file using the information originally provided by the uploader. This completely negates the protections offered by the module used at line 55. Paired with the open directories on the LDMS core server (discussed here: LANDesk Management Server - Open Directories), an attacker can leverage this mechanism to upload an ASP.NET web shell into a location of the attacker's choice. This can lead to arbitrary code execution on the server using the service account permissions, which can lead to full core server compromise.
The vendor has been notified of this issue, and has confirmed that LDMS version 10.0.1.168 SU 5 is no longer supported. Thus, this vulnerability will not be patched.