Vulnerability Description and Impact
Vantage Editor Desktop is a SQL client used to connect to Teradata Vantage (database) instances. It's used for typical SQL client functions, such as
executing database queries, viewing returned result sets, and maintaining a history of previously executed queries. This application is built using
Electron, which embeds the Chromium browser
within it. When a user executes a query, the results are returned and converted into HTML for display back to the user using the Chromium browser.
Vantage Editor Desktop was not designed to be a generic web browser, and as such does not include features normally included with a standard web browser,
such as an address bar. The lack of normal web browser features is intended to limit the Chromium browser capabilities to only those intended by the
developer, which is essentially running SQL queries and locally rendering the returned result sets into a form viewable through Chromium.
The standard Chromium browser includes "developer tools" functionality that is typically used by web developers for low-level web development and
debugging, such as inspecting page source code and measuring resource (e.g., network, memory, and storage) utilization. The developer tools also
include a console function that logs information associated with a page, including JavaScript, CSS and security errors and warnings. Crucially,
the console function also allows the user to run any JavaScript code of their choice to interact with a page, which can include manipulating page
objects and loading other web pages. Vantage Editor Desktop allows users to load the developer tools via the "View" menu or with a Ctrl-Shift-I
hotkey combination, where the console functionality can then be abused to force Vantage Editor Desktop to act as an unrestricted web browser via
JavaScript code execution.
Loading https://cve.mitre.org into Vantage Editor Desktop via the developer tools console (exploit code not shown)
Typical browser (e.g., Mozilla Firefox, Google Chrome and Microsoft Edge) settings can be controlled by domain administrators and can include limiting
a user's ability to load 3rd party extensions, store user credentials, and bypass certain security restrictions such as an invalid or expired TLS
certificate. It is a commonplace practice in many corporate environments to strictly control browser policy configurations to help protect both
unsuspecting end-users and corporate IT infrastructure alike. In the case of Vantage Editor Desktop, domain administrators do not have the ability
to view or set any browser policies as it was never intended to function as a generic web browser, and this increases the risk of security incidents
that would otherwise be avoided through corporate controlled browser policies. Users abusing the developer tools console functionality to browse to
any website will only be limited by the default Chromium and/or developer implemented policy configurations, which may not conform to corporate
security requirements.
Caveats / Prerequisites
This vulnerability is not generally exploitable by an external attacker as they'd have to convince an unknowing user to open the developer tools,
navigate to the console and run JavaScript code of their choice. Most users should recognize the attacker is attempting to get them to use Vantage
Desktop Editor in an unintended fashion as soon as they're asked to load the developer tools. This vulnerability is more likely to be abused by
otherwise legitimate end users that want to circumvent domain administrator enforced policies in typical browsers.
Also note that while this vulnerability is centered around using Vantage Editor Desktop as an unrestricted browser, the ability to run arbitrary
JavaScript code via the console allows for the potential of other security exploits as well. For example:
The console could be leveraged as a code injection path to manipulate query results.
If an attacker were able to convince an end user to run their code via the console, the user could be redirected to a lookalike webpage hosted
by the attacker that is designed to look like the database connection properties window, where the user then enters and submits their Teradata
Database credentials within the form under the assumption they're authenticating to Teradata Database. At this point the attacker has obtained
the users plaintext Teradata Database credentials.
Proof of Concept
No proof of concept code is being published for this vulnerability as it is a trivial exercise to find or write JavaScript code to exploit it.
