CVE-2018-10201 – Ncomputing vSpace Pro Directory Traversal Vulnerability

[Javier Bernardo <javier () kwell net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Full disclosure of this vulnerability leaves a huge number of servers
at risk.


    http://www.kwell.net/kwell_blog/?p=5199


CVE-2018-10201 – Ncomputing vSpace Pro Directory Traversal Vulnerability

*_CVE-2018-10201_*

*Ncomputing vSpace Pro Directory Traversal Vulnerability*

[Description]

An issue was discovered in NcMonitorServer.exe in NC Monitor Server in
NComputing vSpace Pro 10 and 11.

It is possible to read arbitrary files outside the root directory of
the web server. This vulnerability could be exploited remotely by a
crafted URL without credentials, with …/ or …\ or …./ or ….\ as a
directory-traversal pattern to TCP port 8667.

An attacker can make use of this vulnerability to step out of the root
directory and access other parts of the file system. This might give
the attacker the ability to view restricted files, which could provide
the attacker with more information required to further compromise the
system.

- -------------------------

[Additional Information]

nmap -p T:8667 -Pn your_vSpace_server

Nmap scan report for your_vSpace_server (x.x.x.x)
Host is up (0.044s latency).

PORT     STATE SERVICE
8667/tcp open  unknown

http://your_vSpace_server:8667/.../.../.../.../.../.../.../.../.../windows/win.ini

http://your_vSpace_server:8667/...\...\...\...\...\...\...\...\...\windows\win.ini

http://your_vSpace_server:8667/..../..../..../..../..../..../..../..../..../windows/win.ini

http://your_vSpace_server:8667/....\....\....\....\....\....\....\....\....\windows\win.ini

- -------------------------

[Vulnerability Type]
Directory Traversal

- -------------------------

[Vendor of Product]
NComputing

- -------------------------

[Affected Product Code Base]
vSpace – Pro 10
vSpace – Pro 11

- -------------------------

[Affected Component]
NcMonitorServer.exe TCP 8667
NC Monitor Server: Health monitoring agents connect to it to provide
collected data

- -------------------------

[Attack Type]
Remote

- -------------------------

[Impact Information Disclosure]
True

- -------------------------

[Discoverer]
Javier Bernardo – Kwell.net <http://www.kwell.net>
email: javier () kwell net <mailto:javier () kwell net>

- -------------------------

https://nvd.nist.gov/vuln/detail/CVE-2018-10201

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10201

[Attack vectors]

Unprivileged access to files across all file system could lead to
exposure of sensitive data like: password hashes, application hard
codes, history files, log files, databases, etc. A malicious user
could use this vulnerability to fingerprint operative system,
software, hardware, drivers, devices, networks, etc. and also access
source code of applications which they can scour for more
vulnerabilities. In some situations, an attacker can leverage the file
path traversal vulnerability to gain complete control over the server.

In this example you will see a Proof of Concept Video of the founded
vulnerability.

https://www.youtube.com/watch?v=lP9po6LRUfA

First, I check if the service is running on the server doing NMAP to
8667/tcp port. At first sight vSpace does not specifies ways to change
Health Service Agent port. We are investigating server responses in
order to detect this service in any other port.

Next, I used the fuzzer DotDotPwn <http://dotdotpwn.sectester.net/>
just to “double-check” the expression that I found which triggers the
path traversal vulnerability. The command has a tweak to create the
correct pattern with three or four dots. My fuzzer tests this kind of
combinations. I have contacted DotDotPwn to see if they test this
pattern. If not, it will be a good idea to do it.

Ncomputing platform requires Remote Desktop Protocol, by cracking
password hashes attackers could gain remote access to the server.

Also I guess this vulnerability could easily lead to an excessive
usage of hardware resources (CPU, RAM, HD, and Network) if you for
example try to read multiple large files. I did not test it yet, but
Denial of Service could be around the corner.

I have successfully verified the vulnerability in vSpace Pro 10 and
the recently released version 11.

https://www.youtube.com/watch?v=OerzlX4iL5Y

There are many cases in which directory traversal attacks could also
lead to overwriting arbitrary files and directory listing exposures.
This can lead to information leakage and can be used to pivot to other
more serious attacks like remote code execution.

If we base estimations taking Ncomputing´s own numbers, I quote “…With
over 70,000 customers and 20 million daily users in 140 countries…”
including government plus that the vendor announces Linux and Citrix
compatibility,  this vulnerability puts a great number of servers
around the world at high risk.

[Suggested Workaround]

Disable Health Monitor Agent Service.

[Suggested Solution]

Patch from vendor for both versions (vSpace Pro 10 and vSpace Pro 11
- -- 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJa8HpwAAoJEARzTJtRL61b+08P/i9CzpS8CR4ohzKId1JqaBLU
zPLPbfir9PAxsxekgkHxi8lEtrNLWr7WBBFX33LzUs7smL1qzYv6D5RGK2Kj6kSj
PK+0kyyYpe5WY1Rt3vsRAEPowRxxq+vHnqXPAN83ukup9cpUQNJpgfLrbWK99yfJ
mGbEK1rl6quPEFA4Xo/swQ0QdTX6G6/DiO0DBG9X4x6nzyvEBlOgEiefuPENcSkc
ExloM/Was6viOgAxB+JqbNVSMbOJCozBjRiFDHmcUVCgCAjN/XJMeSWeOEVP1GVz
5seAiyFv303bOEQ4/hvz38D667XvbQ2dWVt1UHCfZwZ0jBfHrSQLHAklGh5bICmu
Hd56Nltr1r2FenzEOtB0N/3tZPdYzqXCW8ZXQqu3ufRgKgzeD1y/lwI/bpITMHV5
cQlWr1m1x7HniD9zuMMAB6q5LvYhgNEh+RMNfGQzrq+sHBX4ScLvxJ/l1v2/LUuV
0yJ6OSM+EpMh+A3eayFT53TrEbsTWq15zUeFSC35SNMtsWbnM20MZ/TGEkSteupB
rKm2zeSojz+SAQhQzhXcwqg5V+YuIvpovCepdmkXaW1JqdnlkU2nmLsY8rYjs3VT
4+h18CqeEI0/aFfvo18ImtL1W+a60AYsztku5sSSBgxOHlM7iuxzGDdwiwhkh9V1
uqe+nouiIdzhLp6yAS9g
=uUE8
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/