Blue chip software bug leads to 'instant pwnage'
- — 10 February, 2014 14:11
An enterprise virtual browser claimed to offer “100 percent secure web browsing” used by some of the world's biggest organisations contained a critical vulnerability that “broke the basic value proposition” of the platform.
The remote code execution bug could lead to "instant pwnage" of enterprise workstations using the Jetro Cockpit Secure Browsing (JCSB) platform.
Organisations using the vulnerable versions of the platform would be arguably "better off using no protection at all", according to penetration tester Ronen Zilberman.
All versions including the oldest 4.3.1 released eight months ago were found vulnerable. Affected versions may have existed for several years, according to Zilberman.
Companies including Coca-Cola; Carlsberg; Fisher & Paykel; Bayer; UPS; security firm G4S; the Israeli Police; Motorola, and Deloitte are listed as customers of Jetro.
A patch for the flaw reported by Zilberman was being developed after the company quickly acknowledge the hack found during a client penetration test. A work around for the flaw was not found other than deactivating printer services.
The researcher commended the company on its timely and honest response which was made on the same day as the quite disclosure.
The exploit allowed malicious code to run on workstations from users who click on a crafted malicious link sent by attackers.
The platform worked similarly to Citrix NetScaler, researchers pointed out, by placing workstations on a separated enterprise intranet that connected to the Internet via a terminal server within the enterprise demilitarised zone.
Zilberman found that using an existing exploit such as an Adobe reader vulnerability a user on the local intranet can cause the terminal server to be compromised by an attacker.
"The vulnerability found breaks the basic value proposition of the security product in which it is found. With it the attacker, after compromising the DMZ server, can further inject malicious code into any workstation that is using it to surf the web. This would generally mean instant 'pwnage' of all the enterprise's workstations," Zilberman wrote in a blog post.
"Worse still, the malicious code can later 'call home'. Typically, malicious code that has reached the internal network somehow has a hard time connecting outside because the internal network isn't directly connected to the Internet.
“However, in this case JCSB itself is the connecting agent. Using the intermediate (previously compromised) Jetro server in the DMZ, the code can seamlessly have a two-way connection with the attacker's server. This means the attacker can steal sensitive information, and establish an APT (advanced persistent threat). Threat-wise, the enterprise is arguably better off using no protection at all as workstations browsing the Internet directly could only be compromised one at a time.
"Obtaining administrative control of the terminal server, the attacker could run arbitrary code on all workstations in the enterprise that are using JCSB to browse the web at the time of the attack or later. This means that a user surfing completely unrelated to the attacked user could still be compromised."
The vulnerabilities existed in the JCSB print feature which allowed users to use a local printer over Remote Desktop Services virtual channels which opened a "back-stream" of data that permitted code execution. The print function had some security features but failed to protect the client code, Zilberman said.
An attacker could send a malicious executable in place of a PDF file that was normally sent from the terminal server to the client. Instead of the PDF opening in a program such as Adobe Reader, the executable would be launched.
"Ultimately, the vulnerability found was straightforward," Zilberman said. "However the audit itself was quite challenging, requiring a complex setup of five virtual machines to mimic an enterprise deployment and plenty of code reverse-engineering."
He warned against security 'overview' tests, one of which was cited by Jetro to have been conducted on JCSB as it did not test for security vulnerabilities, lulling customers into a "false sense of security as it seems the product is 'tested and found secure'".
The idea of seamless remote browsing introduces plenty of tricky security problems that may prove difficult to solve. While this research focused only on the printing feature, further research might uncover other vulnerabilities in this, and other similar products.