CVE-2012-1195
published 2012-02-18CVE-2012-1195: Unrestricted file upload vulnerability in andesk/managementsuite/core/core.anonymous/ServerSetup.asmx in the ServerSetup web service in Lenovo ThinkManagement…
PriorityP277high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
68.40%
99.2th percentile
Unrestricted file upload vulnerability in andesk/managementsuite/core/core.anonymous/ServerSetup.asmx in the ServerSetup web service in Lenovo ThinkManagement Console 9.0.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension via a PutUpdateFileCore command in a RunAMTCommand SOAP request, then accessing the file via a direct request to the file in the web root.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| landesk | lenovo_thinkmanagement_console | — | — |
Detection & IOCsextracted from sources · hover to see the quote
pathC:\Program Files\LANDesk\ManagementSuite\LANDesk\ManagementSuite\Core\core.anonymous\ServerSetup.asmx↗
- →Detect unauthenticated HTTP POST requests to the ServerSetup.asmx endpoint with a SOAPAction header of http://tempuri.org/RunAMTCommand and a body containing -PutUpdateFileCore as the Command argument — this is the file upload trigger. ↗
- →Alert on HTTP GET requests to /ldlogon/*.asp or /upl/*.asp shortly after a POST to ServerSetup.asmx — this is the webshell execution step following the upload. ↗
- →Detect POST requests to /WSVulnerabilityCore/VulCore.asmx with SOAPAction http://tempuri.org/SetTaskLogByFile containing a path traversal sequence (../) in the body — this is the cleanup/delete step used post-exploitation. ↗
- →Monitor for .asp file creation under the LANDesk web root directories (ldlogon, upl) by the NETWORK SERVICE or ASPNET account, which indicates successful webshell drop. ↗
- →The exploit sets an empty User-Agent string; correlate empty/blank User-Agent with POST requests to the ServerSetup.asmx path as a supporting signal. ↗
- ·The exploit targets port 80 by default (HTTP, not HTTPS); detection rules should also cover HTTPS (port 443) as the PoC disables SSL peer/host verification, indicating HTTPS deployments are also in scope. ↗
- ·The uploaded ASP webshell filename is randomised (rand_text_alpha) in the Metasploit module, so filename-based detection alone is insufficient; path-pattern matching on /ldlogon/*.asp is required. ↗
- ·The vulnerability requires no authentication; the core.anonymous virtual directory is explicitly designed to be accessible without credentials, so auth-based controls will not block exploitation. ↗
- ·The Data2 argument (file path) is subject to directory traversal, meaning the dropped file may land outside the expected /upl/ or /ldlogon/ directories; broaden monitoring to the entire IIS web root. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
LANDesk Lenovo ThinkManagement Console - Remote Command Execution (Metasploit)
exploitdb·2012-04-08
CVE-2012-1196 LANDesk Lenovo ThinkManagement Console - Remote Command Execution (Metasploit)
LANDesk Lenovo ThinkManagement Console - Remote Command Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'LANDesk Lenovo ThinkManagement Console Remote Command Execution',
'Description' => %q{
This module can be used to execute a payload on LANDesk Lenovo
ThinkManagement Suite 9.0.2 and 9.0.3.
The payload is uploaded as an ASP script by sending a specially crafted
SOAP request to "/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx"
, via a "RunAMTCommand" operation with the command '-PutUpdateFileCore'
as the argument.
After e
Exploit-DB
LANDesk Lenovo ThinkManagement Suite 9.0.3 - Core Server Remote Code Execution
exploitdb·2012-03-19
CVE-2012-1195 LANDesk Lenovo ThinkManagement Suite 9.0.3 - Core Server Remote Code Execution
LANDesk Lenovo ThinkManagement Suite 9.0.3 - Core Server Remote Code Execution
---
LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server AMTConfig.Business.dll
RunAMTCommand Remote Code Execution Vulnerability
Tested against: Microsoft Windows Server 2003 r2 sp2
Software home page: http://www.landesk.com/lenovo/thinkmanagement-console.aspx
Download url: http://www.landesk.com/downloads/lenovo/50.aspx
Files tested:
ThinkManagement9.0.2.exe
LD90-SP2-MCP_CONS-2011-0428.exe
LD90-SP2-MCP_SD-2011-0428.exe
ThinkManagementConsole9.0.3_b28.zip
Instrunctions were to install 9.0.2, then apply two patches, finally to install 9.0.3
Background:
The mentioned product creates various virtual directories on IIS.
Among them the 'core.anonymous' one inside the 'landesk' tree.
Without prior authentic
Metasploit
LANDesk Lenovo ThinkManagement Console Remote Command Execution
metasploit
LANDesk Lenovo ThinkManagement Console Remote Command Execution
LANDesk Lenovo ThinkManagement Console Remote Command Execution
This module can be used to execute a payload on LANDesk Lenovo ThinkManagement Suite 9.0.2 and 9.0.3. The payload is uploaded as an ASP script by sending a specially crafted SOAP request to "/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx" , via a "RunAMTCommand" operation with the command '-PutUpdateFileCore' as the argument. After execution, the ASP script with the payload is deleted by sending another specially crafted SOAP request to "WSVulnerabilityCore/VulCore.asmx" via a "SetTaskLogByFile" operation.
No writeups or analysis indexed.
http://osvdb.org/79276http://secunia.com/advisories/47666http://www.securityfocus.com/bid/52023http://www.securitytracker.com/id?1026693https://exchange.xforce.ibmcloud.com/vulnerabilities/73207http://osvdb.org/79276http://secunia.com/advisories/47666http://www.securityfocus.com/bid/52023http://www.securitytracker.com/id?1026693https://exchange.xforce.ibmcloud.com/vulnerabilities/73207
2012-02-18
Published