CVE-2012-1196
published 2012-02-18CVE-2012-1196: Directory traversal vulnerability in the VulCore web service (WSVulnerabilityCore/VulCore.asmx) in Lenovo ThinkManagement Console 9.0.3 allows remote attackers…
PriorityP352medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
55.50%
98.9th percentile
Directory traversal vulnerability in the VulCore web service (WSVulnerabilityCore/VulCore.asmx) in Lenovo ThinkManagement Console 9.0.3 allows remote attackers to delete arbitrary files via a .. (dot dot) in the filename parameter in a SetTaskLogByFile SOAP request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| landesk | lenovo_thinkmanagement_console | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated SOAP POST requests to /WSVulnerabilityCore/VulCore.asmx with SOAPAction header set to 'http://tempuri.org/SetTaskLogByFile' and a filename parameter containing '../' (dot-dot traversal sequences). ↗
- →Alert on SOAP POST requests to /landesk/managementsuite/core/core.anonymous/ServerSetup.asmx with SOAPAction 'http://tempuri.org/RunAMTCommand' and body containing '-PutUpdateFileCore', which is used to upload arbitrary ASP payloads. ↗
- →Monitor for ASP file creation under the ldlogon web-accessible directory followed immediately by a SetTaskLogByFile deletion request referencing the same filename with a '../' prefix — this two-step pattern (upload then delete) is the Metasploit exploitation chain. ↗
- →No authentication is required to invoke VulCore.asmx; any inbound SOAP request to this endpoint from an external/untrusted source should be treated as suspicious. ↗
- ·The vulnerability is exploitable only on default IIS installations of ThinkManagement Console 9.0.3 (and 9.0.2 with patches) where the WSVulnerabilityCore virtual directory is exposed without access controls. Restricting network access to this virtual directory mitigates exploitation. ↗
- ·File deletion via path traversal is constrained to paths reachable from the LDLogon\VulScanResults\ base directory; traversal depth determines which files outside this directory can be targeted. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
LANDesk Lenovo ThinkManagement Console - Remote Command Execution (Metasploit)
exploitdb·2012-04-08
CVE-2012-1196 LANDesk Lenovo ThinkManagement Console - Remote Command Execution (Metasploit)
LANDesk Lenovo ThinkManagement Console - Remote Command Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'LANDesk Lenovo ThinkManagement Console Remote Command Execution',
'Description' => %q{
This module can be used to execute a payload on LANDesk Lenovo
ThinkManagement Suite 9.0.2 and 9.0.3.
The payload is uploaded as an ASP script by sending a specially crafted
SOAP request to "/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx"
, via a "RunAMTCommand" operation with the command '-PutUpdateFileCore'
as the argument.
After e
Exploit-DB
LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server - Arbitrary File Deletion
exploitdb·2012-03-19
CVE-2012-1196 LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server - Arbitrary File Deletion
LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server - Arbitrary File Deletion
---
LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server WSVulnerabilityCore.dll
SetTaskLogByFile() Remote Arbitrary File Deletion Vulnerability
Tested against: Microsoft Windows Server 2003 r2 sp2
Software home page: http://www.landesk.com/lenovo/thinkmanagement-console.aspx
Download url: http://www.landesk.com/downloads/lenovo/50.aspx
Files tested:
ThinkManagement9.0.2.exe
LD90-SP2-MCP_CONS-2011-0428.exe
LD90-SP2-MCP_SD-2011-0428.exe
ThinkManagementConsole9.0.3_b28.zip
Instrunctions were to install 9.0.2, then apply two patches, finally to install 9.0.3
Background:
The mentioned product creates various virtual directories on IIS.
Among them the 'WSVulnerabilityCore' one.
Without prior authenticatio
Metasploit
LANDesk Lenovo ThinkManagement Console Remote Command Execution
metasploit
LANDesk Lenovo ThinkManagement Console Remote Command Execution
LANDesk Lenovo ThinkManagement Console Remote Command Execution
This module can be used to execute a payload on LANDesk Lenovo ThinkManagement Suite 9.0.2 and 9.0.3. The payload is uploaded as an ASP script by sending a specially crafted SOAP request to "/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx" , via a "RunAMTCommand" operation with the command '-PutUpdateFileCore' as the argument. After execution, the ASP script with the payload is deleted by sending another specially crafted SOAP request to "WSVulnerabilityCore/VulCore.asmx" via a "SetTaskLogByFile" operation.
No writeups or analysis indexed.
http://osvdb.org/79277http://secunia.com/advisories/47666http://www.securityfocus.com/bid/52023http://www.securitytracker.com/id?1026693https://exchange.xforce.ibmcloud.com/vulnerabilities/73208http://osvdb.org/79277http://secunia.com/advisories/47666http://www.securityfocus.com/bid/52023http://www.securitytracker.com/id?1026693https://exchange.xforce.ibmcloud.com/vulnerabilities/73208
2012-02-18
Published