lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <c8f0f89e8eb34f3e87757c3a8624dad7@SEXC1.wgm.bleier.at>
Date: Fri, 8 Jan 2016 09:49:43 +0000
From: Thomas Bleier <thomas@...ier.at>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
 "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [FD] MobaXTerm before version 8.5 vulnerability in "jump host"
 functionality

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

== Description ==

MobaXTerm (http://www.mobatek.net/), a Windows SSH/RDP/VNC/etc. client, includes 
a functionality to open remote sessions via a so-called "jump host" or "SSH 
gateway". In the end this creates a "SSH Port Forward" by binding a local port on 
the machine running MobaXTerm to forward all traffic to the specified destination 
host via the jump host through a SSH tunnel (-L option in OpenSSH), and that is 
then used to open the final remote session to the target machine.

MobaXTerm implementations before 8.5 however do not bind the local socket to 
the local loopback interface (127.0.0.1) to allow only processes from the 
local machine to use the tunnel, but instead bind the socket to "any" 
interface on the local machine (0.0.0.0). This results in a gateway for 
anybody who is able to access the machine running the MobaXTerm application to 
tunnel through to the target machine.

This tunnel is opened the first time a session using this "jump host" is 
openend, and stays open even after the session was closed, as long as the 
MobaXterm is running (eventually).

The vulnerability is present in the default configuration of the MobaXTerm 
application, and I could not find any option or setting to change this 
behaviour in affected versions. Version 8.5, which was released in December 
2015, fixes this vulnerability by binding the local socket to the loopback 
interface.

Since MobaXTerm is typically used for system administration, and "jump hosts" 
are typically used to work in networks that are divided by firewalls to 
separate network zones, this vulnerability allows an attacker to cross those 
firewalls and start attacks against the target hosts e.g. via bruteforcing or 
reusing credentials, pass-the-hash or any other technique.


== Proof of concept ==

Display the currently used ports (netstat -anb) while having a MobaXTerm RDP 
session opened via a "jump host", or connect from a third host to the 
gateway port on the machine where MobaXTerm is running on.


== Solution ==

MobaXTerm 8.5 fixes the vulnerability, for older versions access to tunnel 
ports can be blocked via a local firewall.


== Timeline ==

2015-11-23: vulnerability reported to vendor (MobaTek) and Cert/CC [VU#965520]
2015-11-25: first response from vendor
2015-12-19: updated version released
2016-01-08: public disclosure


- - - --
Thomas Bleier  |  Hauptplatz 16, A-7374 Weingraben, Austria
E-Mail: thomas@...ier.at  |  Phone: +43-664-3400559

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWj4YQAAoJEL5usxLqBS4yYAkP/ibotCfCXZtpO7e6jbciglYd
Jl6V3+Rz1oqaTsWkPs7eIOE4Q63KWwCsKmz5YkYxnAi9diWggCtc/Bd4LcTBhKYR
5jcrqEIQqZriMQAV2Kod7kJ80XUnA9vsfTezjKxoXLXxFjrirJqmJeR9ZsDXk5B6
W82kt+SbRTvLawDKZUWE8d7j6XtyYlInbFpycBDR/nQPEHCTSXNIYIdewsv3NVA5
4AMThFJldP0WsAt1vxa7vARatTXNaN2ec3sh9171RtSqg11oREPtBbu3MeFA0Vjh
ezcD8LUMKG6i73cvbcksfVogQvQGoOb7zGwPKEomvV9Eco0vLhZS/ZkU26o6jydP
I6VM6yNRzyiqCCjR5pWnLPHS5VCKjF2kiBi0x0a7kLgpV52agf/65nDodIc/zLpT
cWT6uB1Ha1MZQIF3KytX27joZrNm1rOqLEfy1xXgujOrsHkshTH29j7sQeuyM5l7
EQg0DbnmG5G8cmFcy+laYEhTLalFheeYEiNrWRZHSCDZh16JJVTb+1YuG8fcKzeh
VvOYFIIfIwmeeiyZteq0kmC4pBFzBuy8D43GzOzFvLZnee8axbhNRLmAdhPFB4C1
TC6S8JP3rhXFb4ct3CbYnP450XZEw4sdktnDZ/lZ9ZyAadcvtOw6D+v3fMp1V+Sa
0xD1K5shhwGn59H8yf6K
=KhKM
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ