lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAFeL3EqmiuA_gCd89AiQrpeSgL2h14orXgs5gcqa-wbEY_gbaw@mail.gmail.com>
Date: Mon, 17 Feb 2014 15:30:48 +0200
From: Ronen Z <ronen@...ji.com>
To: bugtraq@...urityfocus.com
Subject: Jetro Cockpit Secure Browsing vulnerability - Client missing input
 validation allowing RCE

CVE-2014-1861

Affected versions: 4.3.3
                           4.3.1 and probably prior versions.


Jetro Cockpit Secure Browsing makes use of a client running on a
user's workstation in the enterprise's internal network, and a server
in the DMZ that connects on the client's behalf to the internet.

Attack scenario: User causes server to be compromised by an unpatched
or 0-day vulnerability. For example, a browser exploit, or a PDF
viewer exploit. The product should provide network separation and
sand-box such an attack. However the vulnerability found allows a
compromised server to execute code on the client machine using the
printing mechanism.
Specifically:
- If an attacker gains user-level RCE on the server, the found issue
will allow RCE on the same user's workstation in the internal network.
- If an attacker gains elevated privileged RCE on the server (using a
PE vulnerability), the found issue will allow RCE on any user's
workstation in the internal network.

The client does not validate input coming from the server as a result
of a print-to-pdf event. The server can send an .EXE file instead of
the expected .PDF file and the client will execute the file upon
receiving it.

Full disclosure, demo and details here:
http://blog.quaji.com/2014/02/remote-code-execution-on-all-enterprise.html

Ronen Zilberman

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ