Parallels RAS Username Enumeration Flaw
CVE-2017-9447 Strikes Again?
Earlier this year, we were assessing a network that contained a Parallels Remote Application Server (RAS). Parallels RAS is a remote working solution that provides access to virtual desktops and applications. It can run on both Windows and Linux and is typically seen on the standard HTTPS port.
The platform has previously been vulnerable to a directory traversal flaw. The issue allowed remote, unauthenticated attackers to exploit the flaw to read arbitrary files from vulnerable systems (CVE-2017-9447).
=Testing in this scenario revealed that the RAS service was no longer vulnerable to the directory traversal flaw; the issue was mitigated in RAS version 15.5 Update 4, released in September 2017.
However, we identified an issue that appeared to relate to the fix for the previous flaw. While it was no longer possible to retrieve/read files via the directory traversal flaw, it was possible to determine if a file or folder was present on the remote RAS server by leveraging the same payload.
We could identify the presence of files or folders via the different server responses received:
- An HTTP 403 (Forbidden) response received when a file does exist.
- An HTTP 404 (Not Found) response received when a file does not exist.
With a Windows installation, it’s possible to leverage this issue from an unauthenticated perspective to enumerate valid local Windows usernames, assuming they have a home directory on the target system. Once account names are enumerated, obviously somebody can subject them to password guessing attacks.
The following request is used to enumerate the “administrator” user. An HTTP “403 Forbidden” response from the server confirms the directory/user is present:
On the flip side, the following HTTP request returns an HTTP “404 Not Found” which reveals the queried directory/user does not exist:
As a result of the above HTTP response discrepancies, it’s possible to fuzz the username field to quickly enumerate any Windows users that may be present on the system.
The original file directory traversal flaw CVE-2017-9447 was fixed in RAS version 15.5 Update 4, released in September 2017.
The file presence/username enumeration flaw discussed here was fixed in RAS Version 17.1.2 released in July 2020. Ultimately, as a result of a non-optimal fix, this issue has been present for nearly three years.
Despite being in communication with the vendor, unhelpfully they opted to report the fix for this new 2020 flaw under the original 2017 CVE, which ultimately relates to an issue with a different impact.
2nd June 2020 – Parallels Informed about the issue.
15th July 2020 – Parallels released a patch.
19th November 2020 – File presence/Username enumeration flaw publicly disclosed.
A Metasploit module to leverage this flaw has been created, which will be pushed to the Metasploit project in the coming days.
Module in action: