First time on RemoteApp ?

Table of Contents

Hello There :)

I know many of you like having creative things to read and to try to recreate !
Knowing that, i decided to show a vulnerability you don’t see very often :)

Poking around

This time, i was working on a RemoteApp and you should know i’m really not familiar with this kind of thing at all, having never had the opportunity to play with it before.

Many people prefer to walk away when they see something like this

In my case, as i want to learn new things and have fun, it was a perfect opportunity and so i decided to check this one :)

Understanding

First, for those who don’t know the difference:
When you are making a remote connection to a computer, it’s usually a RemoteDesktop. Basically, it’s like you are sitting in front of the machine.
A RemoteApp, on the other hand, directly opens the application and doesn’t give you access to the whole computer.

To set the scene, I will do my best to tell it the way I experienced it!
Curtain up…

Work in progress

I connect to the application and start by looking at how it works.
It’s interesting but, obviously, one of the first things we want to do is check how the app is built behind the scenes !
Since we are on Windows, I check for features on the application which could give me a way to break out and reach a window directly.

As you did expect, that was fairly easy to find, and now I had to think about what to do next.

I first started by looking at the application’s folder but, since I’m really bad at that, I told myself I’d launch Burp Suite and intercept the requests!

Not So Fast

As i said, i’m absolutely not familiar with things like this so, in my head, i was just like “yep, let’s download Burp Suite on the remote machine and get to work :)”

Unfortunately, it’s not that simple…

The first problem was that I couldn’t run files wherever I wanted.
There was a protection in place to be sure that wasn’t possible.
Fortunately, after a bit of digging, I discovered that I just had to put the files on the application’s folder in order to run them ;)

The second was that Java was not installed on the computer, so I had to find the java binaries for this Windows…
That got sorted quickly and I was able to move on!

The third was that i had to find a compatible Burp version for this computer…
I had to dig quite a bit but I eventually found that v2020.1 was the most recent version that could be used by it !

The last thing was to figure out how to put a proxy in the application…
Fortunately, it was a .NET with a config file !

In a .NET application config file, you can simply add something like this to proxy it:

<system.net>
	<defaultProxy>
		<proxy
			usesystemdefault="False"
			proxyaddress="http://127.0.0.1:9975"
			bypassonlocal="False"
		/>
	</defaultProxy>
</system.net>

Everything was in place.

All I had left to do was launch a CMD, start Burp, export the certificate to add it to Windows, and start intercepting the requests sent by the application!

After modifying the config file, i just had to relaunch my RemoteApp to begin working on it.

Wait, what ?

That is when i was dumb enough to almost miss the most important thing…

The application was in the Program Files folder on this Windows and, I was able to modify it however I wanted…

I started it again with a second account and I was receiving its requests in my Burp Suite…

Yes, you heard it right:

The application was not isolated per user.
I had read / write permissions on the whole application folder.

For those who don’t get it, that means i was able to compromise the whole application and, therefore, all of its users…

I was so focused on being able to intercept the requests made by the application that i almost missed a huge vulnerability.

So, i could simply capture the login credentials of all the user and therefore steal their accounts… :)

In the end, there were several issues:

No isolation between users
Read/Write access to the app's entire folder
Ability to launch arbitrary executables

I obviously reported this vulnerability!

I also had some fun after installing Burp Suite and found IDORs directly in the calls made by the application.

It was a very interesting discovery for me.

This article isn’t very long, but it still took me several hours of work to understand everything.
There are many things I didn’t talk about and, above all, Google was incredibly helpful (as always).

Thanks for taking the time to read :)
~ Kuromatae

Poking around

Understanding

Work in progress

Not So Fast

Wait, what ?

More