The Profiling team at SecureState discovered a critical flaw in an older version ofCourion’s Access Risk Management Suite. This vulnerability allows an unauthenticated attacker to remotely compromise a system by leveraging functionality exposed within the Remote Desktop Protocol service.
No exploit code is required to take advantage of this vulnerability as manual GUI interaction is required. Courion has informed SecureState that this vulnerability hadbeen identified internally and remediated prior to SecureState notifying them. The vulnerable version is Version 8, Update 9 of the product. It is unknown which prior versions of the product are affected by this same vulnerability. SecureState was not able to gain access to additional versions of the software to perform further testing.
When using the Remote Desktop Protocol to connect to a system which has Courion’s Access Risk Management Suite software installed, there is a button on the right hand side labeled “Forgot Password” which allows a user to reset the password for their user account by answering a series of challenge questions. The vulnerability arises from the fact that the password reset functionality takes place within a restricted instance of Internet Explorer. While the traditional menu options are not available to the user, keyboard shortcuts are processed normally. As the following screenshot illustrates, by using the “Ctrl +L” or “Ctrl + O” keyboard shortcuts, an “Open” dialogue box is displayed. From here it’s possible to browse the local file system. By launching “cmd.exe” an attacker can add a local administrative user to the system because the context of the current process is running as the local machine account.
Click for Larger View
Users of this software are encouraged to update to the latest version provided byCourion.