Teradici and CVE-2020-10965: An issue of routing.
Vendor and impacted product
Teradici - PCoIP Management Console version 20.01.0 and 19.11.1
After nearly five years of working with Application Security I was finally able to discover a security bug worthy of a CVE. This vulnerability was in a software package owned by a major vendor, Teradici, which provides management software for several different kinds of remote workstation setups. The impact of this bug is critical, with almost no attacker interaction needed. Once reported to Mitre, this vulnerability was issued CVE-2020-10965. Within this blog post, I'll be giving an overview of the discovery process.
While participating in an undisclosed bug bounty program, I discovered a subdomain with the name "mc.****.************.com". Using Aquatone, I found that ports 80 and 443 were open and displaying the following login page.
To my surprise, there was a route to an endpoint called "/login/resetadminpassword" that was not programmed to redirect back to the login page.
Visiting this link, I was even more surprised to be presented with a form to reset the Admin user's password. Using this form, any unauthenticated user was able to change the admin user's password.
From the Teradici disclosure, the impact was described as the following:
"The affected Management Console releases allow unauthenticated user access to the Management Console /login/resetadminpassword URL. From here, unauthenticated users can reset the admin password on the Management Console, and can take control of PCoIP Zero Clients and PCoIP Remote Workstation Cards managed by it."
29 Feb 2020:
Reported vulnerability to bug bounty program, believing it to be specific to their installation.
29 Feb 2020:
Reported vulnerability to Teradici, upon learning that the vulnerability affected the entire version.
03 Mar 2020:
First response from Teradici, triaging the vulnerability.
04 Mar 2020:
Teradici awards a bounty of $1000.
05 Mar 2020:
Teradici releases patched version of product.
07 Mar 2020:
Initial bug bounty program fixes their installation of the application, awarded $350.
13 Mar 2020:
Teradici releases public notice of vulnerability on their website here.
Teradici Vulnerability Disclosure
MITRE CVE Notice
National Vulnerability Database CVE Notice