Today, we are disclosing a vulnerability that has been identified in Universal Dashboard Premium\Enterprise. This does not affect Universal Dashboard Community.
Remote code execution can be performed against Universal Dashboard Premium\Enterprise by an attacker using an HTTP request.
On December 11th, 2018, we released a version of Universal Dashboard that included a feature called DesignMode (later renamed to AdminMode) that introduced a terminal that could run commands on behalf of administrator users. On February 13th, 2020 we were notified by one of our customers, Kevin Temming, that during a security evaluation he was conducting against Universal Dashboard using Burp Suite, he encountered the vulnerability discussed in this report. Today, February 14th, we have resolved the issue and published version 2.9.0, removed all affected versions from the PowerShell Gallery, and notified all our customers.
Am I affected?
If you are using the UniversalDashboard module, on an affected version and do not have login pages enabled, any user can execute PowerShell commands remotely. If you are using UniversalDashboard.Community or have login pages enabled, you will not have this issue.
If you are using Windows Authentication or REST API authentication, this will also prevent an attacker from calling the UD API without authentication.
It is recommended to install 2.9.0 to mitigate this issue or enable login pages for dashboards not running 2.9.0.
All affected versions have been unlisted from the PowerShell Gallery.
Universal Dashboard Premium\Enterprise provides an Administrator Mode terminal for executing arbitrary commands against the Universal Dashboard runspaces. This terminal is enabled by using the -AdminMode switch on Universal Dashboard’s Start-UDDashboard cmdlet. Commands run through the terminal are executed as the account that the dashboard is running under.
This vulnerability allows an attacker to execute commands against this terminal without the -AdminMode switch enabled by issuing HTTP requests to the ASP.NET Controller endpoint responsible for executing these commands.
This can be reproduced using the following script.
Import-Module UniversalDashboard $D = Start-UDDashboard -Port 10000 Invoke-WebRequest 'http://localhost:10000/api/internal/terminal' -Method POST -Body "dir" Stop-UDDashboard $D
The output from the
dir command will be returned in the content of the HTTP response. The body of the HTTP request can be any PowerShell command and will be executed as the dashboard’s account.
The root cause of this issue was identified as an incorrect check on ASP.NET Core Session data that resulted in a failure to check if AdminMode was actually enabled. In newer versions of Universal Dashboard, a new way to enforce the AdminMode state was introduced but the terminal endpoint was not updated to reflect this change. This resulted in the endpoint checking a state that was not being set and allowing any user to execute commands; even if AdminMode was disabled completely.
When a dashboard is configured with login pages, ASP.NET Core authentication is enabled and only authenticated users will be able to execute commands against the AdminMode terminal. Thus, this vulnerability will not affect dashboards that have authentication and authorization enabled.
Please update to version 2.9.0 or enable login pages for your dashboards. We’d like to thank Kevin Temming for bringing this issue to our attention so that we could issue a quick resolution. Please feel free to contact us with any questions.