CVE-2018-10201

Ncomputing vSpace Pro Directory Traversal Vulnerability

[Description]

An issue was discovered in NcMonitorServer.exe in NC Monitor Server in NComputing vSpace Pro 10 and 11.

It is possible to read arbitrary files outside the root directory of the web server. This vulnerability could be exploited remotely by a crafted URL without credentials, with …/ or …\ or …./ or ….\ as a directory-traversal pattern to TCP port 8667.

An attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system.

[Additional Information]

nmap -p T:8667 -Pn your_vSpace_server

Nmap scan report for your_vSpace_server (x.x.x.x)
Host is up (0.044s latency).

PORT     STATE SERVICE
8667/tcp open  unknown

http://your_vSpace_server:8667/.../.../.../.../.../.../.../.../.../windows/win.ini

http://your_vSpace_server:8667/...\...\...\...\...\...\...\...\...\windows\win.ini

http://your_vSpace_server:8667/..../..../..../..../..../..../..../..../..../windows/win.ini

http://your_vSpace_server:8667/....\....\....\....\....\....\....\....\....\windows\win.ini

[Vulnerability Type]
Directory Traversal

[Vendor of Product]
NComputing

[Affected Product Code Base]
vSpace – Pro 10
vSpace – Pro 11

[Affected Component]
NcMonitorServer.exe TCP 8667
NC Monitor Server: Health monitoring agents connect to it to provide collected data

[Attack Type]
Remote

[Impact Information Disclosure]
True

[Discoverer]
Javier Bernardo – Kwell.net
email: javier@kwell.net

https://nvd.nist.gov/vuln/detail/CVE-2018-10201

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10201

[Attack vectors]

Unprivileged access to files across all file system could lead to exposure of sensitive data like: password hashes, application hard codes, history files, log files, databases, etc. A malicious user could use this vulnerability to fingerprint operative system, software, hardware, drivers, devices, networks, etc. and also access source code of applications which they can scour for more  vulnerabilities. In some situations, an attacker can leverage the file path traversal vulnerability to gain complete control over the server.

In this example you will see a Proof of Concept Video of the founded vulnerability.

First, I check if the service is running on the server doing NMAP to 8667/tcp port. At first sight vSpace does not specifies ways to change Health Service Agent port. We are investigating server responses in order to detect this service in any other port.

Next, I used the fuzzer DotDotPwn just to “double-check” the expression that I found which triggers the path traversal vulnerability. The command has a tweak to create the correct pattern with three or four dots. My fuzzer tests this kind of combinations. I have contacted DotDotPwn to see if they test this pattern. If not, it will be a good idea to do it.

Ncomputing platform requires Remote Desktop Protocol, by cracking password hashes attackers could gain remote access to the server.

Also I guess this vulnerability could easily lead to an excessive usage of hardware resources (CPU, RAM, HD, and Network) if you for example try to read multiple large files. I did not test it yet, but Denial of Service could be around the corner.

I have successfully verified the vulnerability in vSpace Pro 10 and the recently released version 11.

There are many cases in which directory traversal attacks could also lead to overwriting arbitrary files and directory listing exposures. This can lead to information leakage and can be used to pivot to other more serious attacks like remote code execution.

If we base estimations taking Ncomputing´s own numbers, I quote “…With over 70,000 customers and 20 million daily users in 140 countries…” including government plus that the vendor announces Linux and Citrix compatibility,  this vulnerability puts a great number of servers around the world at high risk.

[Suggested Workaround]

Disable Health Monitor Agent Service.

[Suggested Solution]

Patch from vendor for both versions (vSpace Pro 10 and vSpace Pro 11)

Disclaimer

You use the advice on this site at your own risk

This web site and its creator is not responsible for, and expressly disclaims all liability for, damages of any kind arising out of use, reference to, or reliance on any information contained within the site. While the information contained within the site is periodically updated, no guarantee is given that the information provided in this web site is correct, complete, and up-to-date.

Although this site may include links providing direct access to other Internet resources, including web sites, I am not responsible for the accuracy or content of information contained in these sites.