LANDesk ThinkManagement File Deletion (April 27, 2012)

By

LANDesk Lenovo ThinkManagement Suite is an application for monitoring and maintaining the availability of devices on the network. It forms the foundation of other LANDesk products such as Lenovo Hardware Password Manager, Security Suite, and Antivirus. ThinkManagement Console includes a web-based console, health dashboard and monitoring, scheduled task view, remote control, software license monitoring, performance monitoring, agentless device management, and reporting.

The main component of the ThinkManagement Suite is Core Server through which all of ThinkManagement’s files and services are provided. The Core Server hosts a variety of LANDesk services, a web service and provides a connection to the management database. It exposes the VulCore.asmx web service on the target server. VulCore.asmx is responsible for processing vulnerability scan requests and uses the LDAppVulnerability application pool. This service can be accessed remotely without requiring any authentication or authorization by sending SOAP HTTP requests to the resource. The following sample HTTP request illustrates the use of a SOAP header:

 POST /WSVulnerabilityCore/VulCore.asmx HTTP/1.1 SOAPAction: "http://testing.com/RunAMTCommand"                 1111       1       testfile.txt          

The default folder permission allow remote invocation of VulCore.asmx without any authentication. Some of the web methods exposed by VulCore.asmx that can be passed in the SOAPAction header are shown:

 GetPatchesForGroup() PutVulnerabilityResults() SendRunStatus() SetPatchInstallStatus2() SetTaskLog() SetTaskLogByFile() 

The SetTaskLogByFile method’s prototype is shown:

public void SetTaskLogByFile(int computerIdn, int taskid, string filename)

A directory traversal vulnerability exists in the Core Server component of LANDesk Lenovo ThinkManagement Suite. The vulnerability is created by a lack of proper sanitization of parameters in SOAP requests containing the SetTaskLogByFile web method of the service. The vulnerable code does not verify the filename parameter, allowing remote attackers to remove any file under the C:Program FilesLANDeskManagementSuiteIdlogon directory by prepending a directory traversal character sequence to the specified filename. Remote, unauthenticated attackers could exploit this vulnerability by sending crafted SOAP requests to the VulCore.asmx resource with a malicious filename parameter value of the SetTaskLogByFile method. Successful exploitation allows the attacker to delete arbitrary files on the target host. This can lead to a denial of service condition if important executables and libraries are deleted.

SonicWALL has released the following IPS signatures to address this issue:

  • 7754 – Lenovo ThinkManagement Console Directory Traversal
  • 7699 – Lenovo ThinkManagement Console Arbitrary File Overwrite

The vulnerability has been assigned CVE-2012-1196 by mitre.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.