Nettitude discovered two vulnerabilities within Cyblesoft’s Thinfinity VirtualUI web application. The findings include path traversal and HTTP header injection, which could be leveraged to execute an XSS payload.
Thinfinity VirtualUI enables Windows-based desktop applications to function as cross-browser, cross-device web applications, which can be run on a Windows environment or be accessed remotely from a web-browser.
Path Traversal Proof of Concept – CVE-2019-16384
The path traversal vulnerability can be leveraged to perform remote data exfiltration on the Windows host. This enables files outside of the intended web directory to be retrieved if the location is known and the application has sufficient permissions. Consequently, this compromises the confidentiality of application data.
The following proof of concept shows how common Windows configuration files were retrieved on the test host, traversing the file directories using the ../ notation. This was captured on the Cyblesoft demo site.
HTTP Header Injection Proof of Concept – CVE-2019-16385
The identified HTTP header injection vulnerability enables control over the application response and can be leveraged to perform a reflected Cross-Site Scripting attack.
The vulnerable mimetype URL parameter can be injected with an arbitrary payload, which is reflected within the Content-type header of the server response, in its entirety.
Injecting HTML encoded carriage return line feed characters %0d%0a within that vulnerable parameter results in the response being split, as a new line is inserted within the header section of the server response, whilst still returning a 200 OK response.
All versions up to and including Thinfinity VirtualUI 18.104.22.168 are affected by both of the vulnerabilities disclosed.
These vulnerability types are common in modern web applications. The ones presented here could have a moderate impact, and it is recommended that users of the software fix the vulnerability by applying the available patch,
Cyblesoft were quick to respond, and regular communication with the vendor enabled a patch to be released to address both of these issues before public disclosure.
Thinfinity UI Vulnerability Disclosure Timeline
- Date of discovery: 20 August 2019
- Vendor informed: 22 August 2019
- Vendor patch received: 14 October 2019
- Patch confirmed effective: 14 October 2019
- Vendor informed about planned disclosure: 14 October 2019
- Public Disclosure: 4 June 2020