lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 7 May 2018 13:10:24 -0300
From: Javier Bernardo <>
Subject: [FD] CVE-2018-10201 – Ncomputing vSpace Pro Directory Traversal Vulnerability

Hash: SHA1

Full disclosure of this vulnerability leaves a huge number of servers
at risk.

CVE-2018-10201 – Ncomputing vSpace Pro Directory Traversal Vulnerability


*Ncomputing vSpace Pro Directory Traversal Vulnerability*


An issue was discovered in NcMonitorServer.exe in NC Monitor Server in
NComputing vSpace Pro 10 and 11.

It is possible to read arbitrary files outside the root directory of
the web server. This vulnerability could be exploited remotely by a
crafted URL without credentials, with …/ or …\ or …./ or ….\ as a
directory-traversal pattern to TCP port 8667.

An attacker can make use of this vulnerability to step out of the root
directory and access other parts of the file system. This might give
the attacker the ability to view restricted files, which could provide
the attacker with more information required to further compromise the

- -------------------------

[Additional Information]

nmap -p T:8667 -Pn your_vSpace_server

Nmap scan report for your_vSpace_server (x.x.x.x)
Host is up (0.044s latency).

8667/tcp open  unknown





- -------------------------

[Vulnerability Type]
Directory Traversal

- -------------------------

[Vendor of Product]

- -------------------------

[Affected Product Code Base]
vSpace – Pro 10
vSpace – Pro 11

- -------------------------

[Affected Component]
NcMonitorServer.exe TCP 8667
NC Monitor Server: Health monitoring agents connect to it to provide
collected data

- -------------------------

[Attack Type]

- -------------------------

[Impact Information Disclosure]

- -------------------------

Javier Bernardo – <>
email: <>

- -------------------------

[Attack vectors]

Unprivileged access to files across all file system could lead to
exposure of sensitive data like: password hashes, application hard
codes, history files, log files, databases, etc. A malicious user
could use this vulnerability to fingerprint operative system,
software, hardware, drivers, devices, networks, etc. and also access
source code of applications which they can scour for more
vulnerabilities. In some situations, an attacker can leverage the file
path traversal vulnerability to gain complete control over the server.

In this example you will see a Proof of Concept Video of the founded

First, I check if the service is running on the server doing NMAP to
8667/tcp port. At first sight vSpace does not specifies ways to change
Health Service Agent port. We are investigating server responses in
order to detect this service in any other port.

Next, I used the fuzzer DotDotPwn <>
just to “double-check” the expression that I found which triggers the
path traversal vulnerability. The command has a tweak to create the
correct pattern with three or four dots. My fuzzer tests this kind of
combinations. I have contacted DotDotPwn to see if they test this
pattern. If not, it will be a good idea to do it.

Ncomputing platform requires Remote Desktop Protocol, by cracking
password hashes attackers could gain remote access to the server.

Also I guess this vulnerability could easily lead to an excessive
usage of hardware resources (CPU, RAM, HD, and Network) if you for
example try to read multiple large files. I did not test it yet, but
Denial of Service could be around the corner.

I have successfully verified the vulnerability in vSpace Pro 10 and
the recently released version 11.

There are many cases in which directory traversal attacks could also
lead to overwriting arbitrary files and directory listing exposures.
This can lead to information leakage and can be used to pivot to other
more serious attacks like remote code execution.

If we base estimations taking Ncomputing´s own numbers, I quote “…With
over 70,000 customers and 20 million daily users in 140 countries…”
including government plus that the vendor announces Linux and Citrix
compatibility,  this vulnerability puts a great number of servers
around the world at high risk.

[Suggested Workaround]

Disable Health Monitor Agent Service.

[Suggested Solution]

Patch from vendor for both versions (vSpace Pro 10 and vSpace Pro 11
- -- 

Version: GnuPG v2.0.22 (GNU/Linux)


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists