[<prev] [next>] [day] [month] [year] [list]
Message-ID: <c8f0f89e8eb34f3e87757c3a8624dad7@SEXC1.wgm.bleier.at>
Date: Fri, 8 Jan 2016 09:49:43 +0000
From: Thomas Bleier <thomas@...ier.at>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: MobaXTerm before version 8.5 vulnerability in "jump host"
functionality
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
== Description ==
MobaXTerm (http://www.mobatek.net/), a Windows SSH/RDP/VNC/etc. client, includes
a functionality to open remote sessions via a so-called "jump host" or "SSH
gateway". In the end this creates a "SSH Port Forward" by binding a local port on
the machine running MobaXTerm to forward all traffic to the specified destination
host via the jump host through a SSH tunnel (-L option in OpenSSH), and that is
then used to open the final remote session to the target machine.
MobaXTerm implementations before 8.5 however do not bind the local socket to
the local loopback interface (127.0.0.1) to allow only processes from the
local machine to use the tunnel, but instead bind the socket to "any"
interface on the local machine (0.0.0.0). This results in a gateway for
anybody who is able to access the machine running the MobaXTerm application to
tunnel through to the target machine.
This tunnel is opened the first time a session using this "jump host" is
openend, and stays open even after the session was closed, as long as the
MobaXterm is running (eventually).
The vulnerability is present in the default configuration of the MobaXTerm
application, and I could not find any option or setting to change this
behaviour in affected versions. Version 8.5, which was released in December
2015, fixes this vulnerability by binding the local socket to the loopback
interface.
Since MobaXTerm is typically used for system administration, and "jump hosts"
are typically used to work in networks that are divided by firewalls to
separate network zones, this vulnerability allows an attacker to cross those
firewalls and start attacks against the target hosts e.g. via bruteforcing or
reusing credentials, pass-the-hash or any other technique.
== Proof of concept ==
Display the currently used ports (netstat -anb) while having a MobaXTerm RDP
session opened via a "jump host", or connect from a third host to the
gateway port on the machine where MobaXTerm is running on.
== Solution ==
MobaXTerm 8.5 fixes the vulnerability, for older versions access to tunnel
ports can be blocked via a local firewall.
== Timeline ==
2015-11-23: vulnerability reported to vendor (MobaTek) and Cert/CC [VU#965520]
2015-11-25: first response from vendor
2015-12-19: updated version released
2016-01-08: public disclosure
- - - --
Thomas Bleier | Hauptplatz 16, A-7374 Weingraben, Austria
E-Mail: thomas@...ier.at | Phone: +43-664-3400559
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWj4YQAAoJEL5usxLqBS4yYAkP/ibotCfCXZtpO7e6jbciglYd
Jl6V3+Rz1oqaTsWkPs7eIOE4Q63KWwCsKmz5YkYxnAi9diWggCtc/Bd4LcTBhKYR
5jcrqEIQqZriMQAV2Kod7kJ80XUnA9vsfTezjKxoXLXxFjrirJqmJeR9ZsDXk5B6
W82kt+SbRTvLawDKZUWE8d7j6XtyYlInbFpycBDR/nQPEHCTSXNIYIdewsv3NVA5
4AMThFJldP0WsAt1vxa7vARatTXNaN2ec3sh9171RtSqg11oREPtBbu3MeFA0Vjh
ezcD8LUMKG6i73cvbcksfVogQvQGoOb7zGwPKEomvV9Eco0vLhZS/ZkU26o6jydP
I6VM6yNRzyiqCCjR5pWnLPHS5VCKjF2kiBi0x0a7kLgpV52agf/65nDodIc/zLpT
cWT6uB1Ha1MZQIF3KytX27joZrNm1rOqLEfy1xXgujOrsHkshTH29j7sQeuyM5l7
EQg0DbnmG5G8cmFcy+laYEhTLalFheeYEiNrWRZHSCDZh16JJVTb+1YuG8fcKzeh
VvOYFIIfIwmeeiyZteq0kmC4pBFzBuy8D43GzOzFvLZnee8axbhNRLmAdhPFB4C1
TC6S8JP3rhXFb4ct3CbYnP450XZEw4sdktnDZ/lZ9ZyAadcvtOw6D+v3fMp1V+Sa
0xD1K5shhwGn59H8yf6K
=KhKM
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists