pwn.college DOJO Improper Authentication Vulnerability in Workspace Endpoint Allowing Unauthorized Access to Windows VMs

A vulnerability exists in pwn.college DOJO, an educational platform for cybersecurity, in versions through commit 781d91157cfc234a434d0bab45cbcf97894c642e. The issue arises in the '/workspace' endpoint, where improper authentication allows attackers to access any active Windows virtual machine (VM) without authorization. This vulnerability is located in the 'view_desktop' function, which retrieves user IDs from URL parameters without verifying if the requester has administrative rights. Attackers can impersonate users by supplying arbitrary user IDs and passwords, bypassing authentication. Once access is gained, attackers can manipulate data on the Windows VM and the corresponding Linux machine via the Z: drive.

Impact

Exploitation of this vulnerability allows unauthorized access to Windows VMs, impacting all users with active sessions. Attackers can modify data on the accessed Windows machine and in the home directory of the associated Linux machine through the Z: drive.

Reproduction

To reproduce this vulnerability, first identify a user with an active Windows VM. Then, send a request to the '/workspace' endpoint, including the user ID, an arbitrary password, and the 'desktop-windows' service parameter. The response will contain an 'iframe_src' URL, which can be used to access the Windows VM.

Remediation

Users should update to version 7f4e45198a49d132bf3d0bea64baa0adb68e6839 or later.