cbcvebase.
CVE-2012-1196
published 2012-02-18

CVE-2012-1196: Directory traversal vulnerability in the VulCore web service (WSVulnerabilityCore/VulCore.asmx) in Lenovo ThinkManagement Console 9.0.3 allows remote attackers…

PriorityP352medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
55.50%
98.9th percentile
Directory traversal vulnerability in the VulCore web service (WSVulnerabilityCore/VulCore.asmx) in Lenovo ThinkManagement Console 9.0.3 allows remote attackers to delete arbitrary files via a .. (dot dot) in the filename parameter in a SetTaskLogByFile SOAP request.

Affected

1 ranges
VendorProductVersion rangeFixed in
landesklenovo_thinkmanagement_console

Detection & IOCsextracted from sources · hover to see the quote

url/WSVulnerabilityCore/VulCore.asmx
urlhttp://tempuri.org/SetTaskLogByFile
path/WSVulnerabilityCore/VulCore.asmx
path/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx
command-PutUpdateFileCore
urlhttp://tempuri.org/RunAMTCommand
pathldlogon\VulScanResults\
  • Detect unauthenticated SOAP POST requests to /WSVulnerabilityCore/VulCore.asmx with SOAPAction header set to 'http://tempuri.org/SetTaskLogByFile' and a filename parameter containing '../' (dot-dot traversal sequences).
  • Alert on SOAP POST requests to /landesk/managementsuite/core/core.anonymous/ServerSetup.asmx with SOAPAction 'http://tempuri.org/RunAMTCommand' and body containing '-PutUpdateFileCore', which is used to upload arbitrary ASP payloads.
  • Monitor for ASP file creation under the ldlogon web-accessible directory followed immediately by a SetTaskLogByFile deletion request referencing the same filename with a '../' prefix — this two-step pattern (upload then delete) is the Metasploit exploitation chain.
  • No authentication is required to invoke VulCore.asmx; any inbound SOAP request to this endpoint from an external/untrusted source should be treated as suspicious.
  • ·The vulnerability is exploitable only on default IIS installations of ThinkManagement Console 9.0.3 (and 9.0.2 with patches) where the WSVulnerabilityCore virtual directory is exposed without access controls. Restricting network access to this virtual directory mitigates exploitation.
  • ·File deletion via path traversal is constrained to paths reachable from the LDLogon\VulScanResults\ base directory; traversal depth determines which files outside this directory can be targeted.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.