cbcvebase.
CVE-2012-1195
published 2012-02-18

CVE-2012-1195: Unrestricted file upload vulnerability in andesk/managementsuite/core/core.anonymous/ServerSetup.asmx in the ServerSetup web service in Lenovo ThinkManagement…

PriorityP277high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
68.40%
99.2th percentile
Unrestricted file upload vulnerability in andesk/managementsuite/core/core.anonymous/ServerSetup.asmx in the ServerSetup web service in Lenovo ThinkManagement Console 9.0.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension via a PutUpdateFileCore command in a RunAMTCommand SOAP request, then accessing the file via a direct request to the file in the web root.

Affected

1 ranges
VendorProductVersion rangeFixed in
landesklenovo_thinkmanagement_console

Detection & IOCsextracted from sources · hover to see the quote

url/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx
url/WSVulnerabilityCore/VulCore.asmx
pathC:\Program Files\LANDesk\ManagementSuite\LANDesk\ManagementSuite\Core\core.anonymous\ServerSetup.asmx
command-PutUpdateFileCore
filenamesuntzu.asp
url/upl/suntzu.asp
pathldlogon\<random>.asp
  • Detect unauthenticated HTTP POST requests to the ServerSetup.asmx endpoint with a SOAPAction header of http://tempuri.org/RunAMTCommand and a body containing -PutUpdateFileCore as the Command argument — this is the file upload trigger.
  • Alert on HTTP GET requests to /ldlogon/*.asp or /upl/*.asp shortly after a POST to ServerSetup.asmx — this is the webshell execution step following the upload.
  • Detect POST requests to /WSVulnerabilityCore/VulCore.asmx with SOAPAction http://tempuri.org/SetTaskLogByFile containing a path traversal sequence (../) in the body — this is the cleanup/delete step used post-exploitation.
  • Monitor for .asp file creation under the LANDesk web root directories (ldlogon, upl) by the NETWORK SERVICE or ASPNET account, which indicates successful webshell drop.
  • The exploit sets an empty User-Agent string; correlate empty/blank User-Agent with POST requests to the ServerSetup.asmx path as a supporting signal.
  • ·The exploit targets port 80 by default (HTTP, not HTTPS); detection rules should also cover HTTPS (port 443) as the PoC disables SSL peer/host verification, indicating HTTPS deployments are also in scope.
  • ·The uploaded ASP webshell filename is randomised (rand_text_alpha) in the Metasploit module, so filename-based detection alone is insufficient; path-pattern matching on /ldlogon/*.asp is required.
  • ·The vulnerability requires no authentication; the core.anonymous virtual directory is explicitly designed to be accessible without credentials, so auth-based controls will not block exploitation.
  • ·The Data2 argument (file path) is subject to directory traversal, meaning the dropped file may land outside the expected /upl/ or /ldlogon/ directories; broaden monitoring to the entire IIS web root.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.