lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20120125154337.GB13159@X>
Date: Wed, 25 Jan 2012 16:43:37 +0100
From: otr@...kcay.de
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Cc: Bugtraq <bugtraq@...urityfocus.com>
Subject: NX Web Companion Spoofing Arbitrary Code Execution Vulnerability

# Vuln Title: NX Web Companion Spoofing Arbitrary Code Execution
# Vulnerability
# Date: 25.01.2012
# Author: otr
# Software Link: http://www.nomachine.com/documents/plugin/install.php
# Version: <= 3.x
# Tested on: Linux, Windows, Mac OS X x86, Mac OS X PPC, Solaris
# CVE : None, yet

Summary

   The No Machine NX Web Companion is a Java applet that allows to
download and update the No Machine software from a server. The No
Machine software is used to remotely access computers. The NX Web
Companion is usually used by enterprises to easily deploy a cross
platform client for accessing remote machines.

Context

   For security purposes the NX Web Companion Java applet jar file is
often code signed. Signed Java applets are allowed to run
arbitrary code (outside of the Java sandbox) on the client system
if the user confirms that he trusts the certificate the code was
signed with. If a company decides to use the NX Web Companion it
is likely to not only self-sign. Therefore it would get a CA
signed certificate for the Web Companion. The defaults when
accepting to such a signed Java applet are to accept to run the
applet in question and trust the publisher forever. Meaning that
any time the user browses to a page containg that applet, the
applet code is executed automatically outside of the Java sandbox.

   The NX Web Companion spoofing vulnerability now, in the worst
case, allows to execute arbitrary code on the client abusing
the trust the user once placed into the signed jar file.

Details

   The java applet nxapplet.jar downloads a file called
client.zip from a location that can be controlled by the
attacker using a fake web site using the parameters passed
to the applet (SiteUrl, RedirectUrl). The applet can be
tricked into thinking that a new version is available by
modifing the *ClientVersion parameters. After user
confirmation, the applets then downloads a file client.zip
from the location provided in SiteUrl.  client.zip is an
archive that contains a platform dependend executable that
is _not_ code signed and therefore may be manipulated by an
attacker to run arbitrary code abusing the trust placed into
the nxapplet.jar certificate.

   The client.zip file actually contains a file called "client" that is
lzma compressed. The file "client" itself is a zip archive that
contains the platform dependend executable which is called:

For Windows: nxclient.exe
For Linux: bin/nxclient
For OS X: bin/nxclient.app/Contents/MacOS/
For Solaris: bin/nxclient

Report Timeline

2011-12-12: Vendor Notification
2011-12-15: Vendor Response
2012-01-16: Vendor agrees to disclosure
2012-01-25: Public Disclosure




-- 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ