| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Feb 2014 15:30:48 +0200
From: Ronen Z <ronen@...ji.com>
To: bugtraq@...urityfocus.com
Subject: Jetro Cockpit Secure Browsing vulnerability - Client missing input
validation allowing RCE
CVE-2014-1861
Affected versions: 4.3.3
4.3.1 and probably prior versions.
Jetro Cockpit Secure Browsing makes use of a client running on a
user's workstation in the enterprise's internal network, and a server
in the DMZ that connects on the client's behalf to the internet.
Attack scenario: User causes server to be compromised by an unpatched
or 0-day vulnerability. For example, a browser exploit, or a PDF
viewer exploit. The product should provide network separation and
sand-box such an attack. However the vulnerability found allows a
compromised server to execute code on the client machine using the
printing mechanism.
Specifically:
- If an attacker gains user-level RCE on the server, the found issue
will allow RCE on the same user's workstation in the internal network.
- If an attacker gains elevated privileged RCE on the server (using a
PE vulnerability), the found issue will allow RCE on any user's
workstation in the internal network.
The client does not validate input coming from the server as a result
of a print-to-pdf event. The server can send an .EXE file instead of
the expected .PDF file and the client will execute the file upon
receiving it.
Full disclosure, demo and details here:
http://blog.quaji.com/2014/02/remote-code-execution-on-all-enterprise.html
Ronen Zilberman
Powered by blists - more mailing lists