lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFz4UQ8pbdmjxU3hRVJY9fKCP=dtX4RKa6OSkQh=1_mPMwx4tQ@mail.gmail.com> Date: Tue, 24 Mar 2020 04:56:35 +0400 From: Eldar Marcussen <wireghoul@...il.com> To: fulldisclosure@...lists.org Subject: [FD] HP ThinPro - Citrix command injection HP ThinPro - Citrix command injection =============================================================================== Identifiers ------------------------------------------------- * CVE-2019-18909 CVSSv3 score ------------------------------------------------- 6.1 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) Vendor ------------------------------------------------- HP - [https://www.hp.com](https://www.hp.com) Product ------------------------------------------------- Deliver secure desktop virtualization that’s as comfortable for IT as it is for end users with the stunningly redesigned HP ThinPro. It has a bold new user interface and workflow refinements that make it a breeze to configure, manage, and use right out of the box. Affected versions ------------------------------------------------- - HP ThinPro Linux 7.1 - HP ThinPro Linux 7.0 - HP ThinPro Linux 6.2.1 - HP ThinPro Linux 6.2 Credit ------------------------------------------------- Eldar Marcussen - xen1thLabs - Software Labs Vulnerability summary ------------------------------------------------- The Citrix receiver conection wrapper function does not safely handle user supplied data allowing an unauthenticated attacker to use commandline syntax to execute arbitrary commands on the device. Technical details ------------------------------------------------ The user supplied values provided for the domain portion of the login screens for `Citrix receiver` is vulnerable to command injection, an unauthenticated attacker can exploit this to execute commands with the privileges of the local user. Proof of concept ------------------------------------------------- The following evidence is provided to illustrate the existence and exploitation: 1. At the `Citrix receiver` login screen enter the following details: * username: \pwnt * password: pwnt * Domain should be empty 2. Click `Connect` 3. In the `Citrix server details` window, enter the following for domain: `;xterm;echo ` 4. Click `Connect` 5. Observe that xterm spawns Solution ------------------------------------------------- Contact vendor for a solution Timeline ------------------------------------------------- Date | Status ------------|----------------------------- 19-AUG-2019 | Reported to vendor 22-NOV-2019 | Patch available 24-MAR-2020 | Public disclosure _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists