![]() ![]() ![]() Teradici releases public notice of vulnerability on their website here. ![]() Initial bug bounty program fixes their installation of the application, awarded $350. Teradici releases patched version of product. :įirst response from Teradici, triaging the vulnerability. Reported vulnerability to Teradici, upon learning that the vulnerability affected the entire version. Reported vulnerability to bug bounty program, believing it to be specific to their installation. From here, unauthenticated users can reset the admin password on the Management Console, and can take control of PCoIP Zero Clients and PCoIP Remote Workstation Cards managed by it." Disclosure Timeline : "The affected Management Console releases allow unauthenticated user access to the Management Console /login/resetadminpassword URL. Impactįrom the Teradici disclosure, the impact was described as the following: Using this form, any unauthenticated user was able to change the admin user's password. Visiting this link, I was even more surprised to be presented with a form to reset the Admin user's password. To my surprise, there was a route to an endpoint called "/login/resetadminpassword" that was not programmed to redirect back to the login page. Seeing that the application was built using some kind of Javascript framework, I used the Chrome developer utilities to examine the routing files, to see if there were any interesting endpoints. Using Aquatone, I found that ports 80 and 443 were open and displaying the following login page. While participating in an undisclosed bug bounty program, I discovered a subdomain with the name "mc.****.************.com". Either the password and username were typed in incorrectly or the Active Directory system is not configured for the username/password combination. Password and username could not be validated If the authenticate message could not be validated on the host itself. Within this blog post, I'll be giving an overview of the discovery process. Root Cause: Remedy: Authenticate was not successful. Once reported to Mitre, this vulnerability was issued CVE-2020-10965. The impact of this bug is critical, with almost no attacker interaction needed. ![]() This vulnerability was in a software package owned by a major vendor, Teradici, which provides management software for several different kinds of remote workstation setups. Teradici - PCoIP Management Console version 20.01.0 and 19.11.1Īfter nearly five years of working with Application Security I was finally able to discover a security bug worthy of a CVE. Teradici and CVE-2020-10965: An issue of routing. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |