Blue chip software bug leads to 'instant pwnage'

An enterprise virtual browser claimed to offer “100 percent secure web browsing” used by some of the world's biggest organisations contained a critical vulnerability that “broke the basic value proposition” of the platform.

The remote code execution bug could lead to "instant pwnage" of enterprise workstations using the Jetro Cockpit Secure Browsing (JCSB) platform.

Organisations using the vulnerable versions of the platform would be arguably "better off using no protection at all", according to penetration tester Ronen Zilberman.

All versions including the oldest 4.3.1 released eight months ago were found vulnerable. Affected versions may have existed for several years, according to Zilberman.

Companies including Coca-Cola; Carlsberg; Fisher & Paykel; Bayer; UPS; security firm G4S; the Israeli Police; Motorola, and Deloitte are listed as customers of Jetro.

A patch for the flaw reported by Zilberman was being developed after the company quickly acknowledge the hack found during a client penetration test. A work around for the flaw was not found other than deactivating printer services.

The researcher commended the company on its timely and honest response which was made on the same day as the quite disclosure.

The exploit allowed malicious code to run on workstations from users who click on a crafted malicious link sent by attackers.

The platform worked similarly to Citrix NetScaler, researchers pointed out, by placing workstations on a separated enterprise intranet that connected to the Internet via a terminal server within the enterprise demilitarised zone.

Zilberman found that using an existing exploit such as an Adobe reader vulnerability a user on the local intranet can cause the terminal server to be compromised by an attacker.

"The vulnerability found breaks the basic value proposition of the security product in which it is found. With it the attacker, after compromising the DMZ server, can further inject malicious code into any workstation that is using it to surf the web. This would generally mean instant 'pwnage' of all the enterprise's workstations," Zilberman wrote in a blog post.

"Worse still, the malicious code can later 'call home'. Typically, malicious code that has reached the internal network somehow has a hard time connecting outside because the internal network isn't directly connected to the Internet.

“However, in this case JCSB itself is the connecting agent. Using the intermediate (previously compromised) Jetro server in the DMZ, the code can seamlessly have a two-way connection with the attacker's server. This means the attacker can steal sensitive information, and establish an APT (advanced persistent threat). Threat-wise, the enterprise is arguably better off using no protection at all as workstations browsing the Internet directly could only be compromised one at a time.

"Obtaining administrative control of the terminal server, the attacker could run arbitrary code on all workstations in the enterprise that are using JCSB to browse the web at the time of the attack or later. This means that a user surfing completely unrelated to the attacked user could still be compromised."

The vulnerabilities existed in the JCSB print feature which allowed users to use a local printer over Remote Desktop Services virtual channels which opened a "back-stream" of data that permitted code execution. The print function had some security features but failed to protect the client code, Zilberman said.

An attacker could send a malicious executable in place of a PDF file that was normally sent from the terminal server to the client. Instead of the PDF opening in a program such as Adobe Reader, the executable would be launched.

"Ultimately, the vulnerability found was straightforward," Zilberman said. "However the audit itself was quite challenging, requiring a complex setup of five virtual machines to mimic an enterprise deployment and plenty of code reverse-engineering."

He warned against security 'overview' tests, one of which was cited by Jetro to have been conducted on JCSB as it did not test for security vulnerabilities, lulling customers into a "false sense of security as it seems the product is 'tested and found secure'".

The idea of seamless remote browsing introduces plenty of tricky security problems that may prove difficult to solve. While this research focused only on the printing feature, further research might uncover other vulnerabilities in this, and other similar products.

Join the CSO newsletter!

Error: Please check your email address.

Tags Ronen Zilbermanvirtual browserJetro Cockpit Secure Browsing

More about Adobe SystemsAPTBayer AustraliaCitrix Systems Asia PacificFisher & PaykelMotorolaNetScaler

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sam Bells

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place