Skip to navigation Skip to main content Skip to footer

Technical Advisory: Unauthenticated SQL Injection in Lansweeper

Vendor: Lansweeper
Vendor URL: https://www.lansweeper.com/
Versions affected: prior to 7.1.117.4
Systems Affected: Lansweeper application
Author: Soroush Dalili (@irsdl)
Advisory URL / CVE Identifier: https://www.lansweeper.com/changelog/ - CVE-2019-13462
Risk: Critical when MSSQL database is in use (not default)

Summary

The Lansweeper application is agentless network inventory software that can be used for IT asset management. It uses the ASP.NET technology on its web application.

Versions prior to 7.1.117.4 are vulnerable to a SQL injection issue that can be exploited by unauthenticated attackers.

 

Location

The widget handler module was affected.

 

Impact

Unauthenticated attackers could exploit this issue to log into the application to ultimately execute commands on the server using the application’s built-in features (by adding a ‘new package’ and ‘scheduled deployments’ under the ‘Deployment’ menu).

As the injection was within an ‘update’ query, it was very difficult to exploit it when SQL Compact was used (default option). However, when SQL Server was used, this issue could be easily exploited to modify data or retrieve information from the database or its underlying server.

 

Details

The ‘column’ parameter of the ‘Sort’ method of the ‘WidgetHandler.ashx’ handler was vulnerable to SQL injection.

The following code shows the affected method before applying the patch:

public static void Sort(HttpContext context)
{
StringBuilder stringBuilder = new StringBuilder();
int num = int.Parse(context.Request.QueryString["ID"]);
string item = context.Request.QueryString["row"];
string str = context.Request.QueryString["column"];
stringBuilder.AppendFormat("update tsysWebTabControls set RowID={0} , ColumnID={1} where TabControlID={2}", item, str, num);
DB.ExecuteNonQuery(stringBuilder.ToString(), new IDbDataParameter[0]);
}

It should be noted that an error-based method could be used to simply retrieve data. In addition to this, a user could be added to the database to log into the application.

 

Recommendation

It is recommended to update the application to the latest version (7.1.117.4 at the time of writing this report).

 

Vendor Communication

08/07/2019: initial report to Lansweeper
08/07/2019: vendor confirmed the vulnerability and developed a quick fix
10/07/2019: a security patch was released
11/07/2019: the security patch was tested by NCC Group and all was fine
12/07/2019: changelog was updated by Lansweeper indicating the fixed issue
25/07/2019: public disclosure by NCC Group

 

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.