| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Jan 2012 16:43:37 +0100 From: otr@...kcay.de To: Full Disclosure <full-disclosure@...ts.grok.org.uk> Cc: Bugtraq <bugtraq@...urityfocus.com> Subject: NX Web Companion Spoofing Arbitrary Code Execution Vulnerability # Vuln Title: NX Web Companion Spoofing Arbitrary Code Execution # Vulnerability # Date: 25.01.2012 # Author: otr # Software Link: http://www.nomachine.com/documents/plugin/install.php # Version: <= 3.x # Tested on: Linux, Windows, Mac OS X x86, Mac OS X PPC, Solaris # CVE : None, yet Summary The No Machine NX Web Companion is a Java applet that allows to download and update the No Machine software from a server. The No Machine software is used to remotely access computers. The NX Web Companion is usually used by enterprises to easily deploy a cross platform client for accessing remote machines. Context For security purposes the NX Web Companion Java applet jar file is often code signed. Signed Java applets are allowed to run arbitrary code (outside of the Java sandbox) on the client system if the user confirms that he trusts the certificate the code was signed with. If a company decides to use the NX Web Companion it is likely to not only self-sign. Therefore it would get a CA signed certificate for the Web Companion. The defaults when accepting to such a signed Java applet are to accept to run the applet in question and trust the publisher forever. Meaning that any time the user browses to a page containg that applet, the applet code is executed automatically outside of the Java sandbox. The NX Web Companion spoofing vulnerability now, in the worst case, allows to execute arbitrary code on the client abusing the trust the user once placed into the signed jar file. Details The java applet nxapplet.jar downloads a file called client.zip from a location that can be controlled by the attacker using a fake web site using the parameters passed to the applet (SiteUrl, RedirectUrl). The applet can be tricked into thinking that a new version is available by modifing the *ClientVersion parameters. After user confirmation, the applets then downloads a file client.zip from the location provided in SiteUrl. client.zip is an archive that contains a platform dependend executable that is _not_ code signed and therefore may be manipulated by an attacker to run arbitrary code abusing the trust placed into the nxapplet.jar certificate. The client.zip file actually contains a file called "client" that is lzma compressed. The file "client" itself is a zip archive that contains the platform dependend executable which is called: For Windows: nxclient.exe For Linux: bin/nxclient For OS X: bin/nxclient.app/Contents/MacOS/ For Solaris: bin/nxclient Report Timeline 2011-12-12: Vendor Notification 2011-12-15: Vendor Response 2012-01-16: Vendor agrees to disclosure 2012-01-25: Public Disclosure --
Powered by blists - more mailing lists