Sunday, February 2, 2014

Remote Code Execution On All Enterprise Workstations Simultaneously - A Vulnerability in Jetro Cockpit Secure Browsing
-or-
The Irony of Insecure Security Software

A Hebrew summary is available here.  
 
Update 1 (2014-09-02): The finding received a CVE listing number CVE 2014-1861
Update 2 (2014-24-02): Vendor response added as per their request.


Overview
Browsing the web is dangerous.
Hackers are constantly searching for vulnerabilities in popular software. Between the OS, browser, browser plug-ins, Java, Office, PDF Readers, etc., an average machine runs a lot of complex code which is never bug-free. It's no wonder then, that news of critical vulnerabilities are common, and being fully patched is a constant race. For a security-conscious organization with hundreds of workstations containing sensitive data, secure browsing becomes top priority.
Jetro Cockpit Secure Browsing's (JCSB) solution is network separation and browsing-by-proxy. The workstations are in a sealed-off inner network (intranet) with no direct outside access. For internet browsing, the workstation connects to a middle-man server in the DMZ (outside the intranet) to do the browsing on its behalf over a Remote Desktop Connection. The DMZ server running the browser, Java etc. is still at risk to the dangers mentioned above, but in the event it is compromised the workstation remains safe: The attacker's reach would be boxed off to the DMZ server which contains no sensitive data, and is firewalled off the intranet. The attack would be foiled.
However sometimes the solution creates the problem.
The vulnerability found breaks the basic value proposition of the security product in which it is found. With it the attacker, after compromising the DMZ server, can further inject malicious code into any workstation that is using it to surf the web. This would generally mean instant "pwnage" of all the enterprise's workstations.

Worse still, the malicious code can later "call home". Typically, malicious code that has reached the internal network somehow has a hard time connecting outside because the internal network isn't directly connected to the internet. However in this case JCSB itself is the connecting agent. Using the intermediate (previously compromised) Jetro server in the DMZ, the code can seamlessly have a 2-way connection with the attacker's server. This means the attacker can steal sensitive information, and establish an APT (Advanced Persistent Threat). Threat-wise, the enterprise is arguably better off using no protection at all as workstations browsing the internet directly could only be compromised one at a time.
This finding is unique as it combined several factors: A critical vulnerability allowing mass remote code execution, found in a security product, used by a large number of leading organizations, which has been in the product for a long time (possibly years), and the product is claimed to have been audited by several leading security companies. See last section for details.

The vendor has been notified and has responded swiftly. The company notified all their clients and is currently upgrading them to a new version patching the vulnerability. Clients that have not upgraded yet are advised to do so immediately as there is no known workaround.


Proof-of-Concept Video



The video demos a successful attack:
  • The virtual machine is an enterprise workstation on the separated intranet. The user receives an email with a link to a remote malicious site.
  • The user clicks the link, and the website is opened via JCSB (A tunnel to a remote terminal server is opened, and the browser runs remotely).
  • A vulnerability is exploited in the browser to gain control of the terminal server (unrelated to JCSB).
  • Reported vulnerability is used to run malicious code on the user's workstation (window titled Malicious Code).
Then, a more severe variant is shown:
  • A second, unrelated user on another workstation is browsing Google via JCSB.
  • The same attack takes place: The first user clicks malicious link. Attacker gains control of terminal server.
  • Reported vulnerability is used: Both workstations are infected simultaneously.
Killing the JCSB client (the "J" icon) closes all remote windows. This shows that the malicious code is in fact running on the users' workstations in the local network.

Product Overview
Jetro Cockpit Secure Browsing is a popular enterprise-grade secure browsing solution developed by Jetro Platforms, a well known Israeli security company. The product is used by many leading companies in the Finance, Insurance and Government sectors, and has substantial international traction.
 
Similar to Citrix NetScaler, JCSB secures browsing by having workstations on a separated enterprise intranet connect to the internet via proxy using a terminal server located in the enterprise DMZ, instead of directly. The connection to the Jetro terminal server is done over RDC, and is firewalled off the inner network.
A somewhat simplified browsing session using JCSB

The Exploit
Attack scenario: A user on the local intranet causes the terminal server (using JCSB) to be compromised by an attacker. This can be done using an unpatched or zero-day vulnerability in any software on the server. For example, by browsing a malicious site (browser vulnerability), opening a malicious PDF (reader vulnerability), etc.

The research found that in this scenario:
  • Obtaining admin level control of the terminal server (using a Privilege Escalation vulnerability for example), the attacker could run arbitrary code on all workstations in the enterprise that are using JCSB to browse the web at the time of the attack or later. This means that a user surfing completely unrelated to the attacked user could still be compromised.
  • Obtaining only user level control of the terminal server, the attacker could run arbitrary code on the local workstation of the user that caused the attack.


The Vulnerability
The vulnerabilities were found in the print feature: JCSB allows a user to print to a local printer connected to the client's machine. This means "back-stream" data flow: From the terminal server to the local user's machine. Several vulnerabilities in the printing mechanism allowed abusing this reverse data flow for code execution.

When the user creates a printing job, the terminal server prints it to a postscript file, then converts it to PDF and sends the resulting file back to the workstation. Worth noting is that JCSB takes measures to secure the printing process: Original content never reaches the workstation as is  (the conversions assure any malicious code that might exist in the original material is discarded), generated files are randomly named, and deleted immediately after being transferred, etc.

However, these measures are irrelevant if the terminal server itself is compromised: The attacker can mimic/bypass any actions carried out by the real terminal server code. It is the client code that needs to be protected, but unfortunately it is not.

The printing is done via Remote Desktop Virtual Channels. This technology is intended for developing custom services atop the Remote Desktop Protocol. The terminal server prepares a PDF file with the printed content and transfers it to the client for actual printing. An XML is sent over the virtual channel similar to this:



where xxx.pdf is the PDF to be printed.

Note a flag called "Open In Reader". It tells the client to open the received PDF in a PDF Reader on the local machine instead of actually printing it. In turns out that in order to open the PDF reader, the client simply executes the received file with the intent of running the default handler for PDF files (such as Acrobat Reader).

To exploit these vulnerabilities an attacker can prepare a file called "malicious.exe" containing the malicious code to run. The terminal server then sends a modified XML similar to the one below. Note that the FileName is now xxx.EXE and OpenInReader is on. 
Upon receiving the file, the client will execute it assuming it's a PDF and that the default handler will kick in. Instead, being an EXE file, it will simply get executed. 





Workaround

A workaround was not found.
Printing as a feature can be disabled through the administration console, however doing this doesn't prevent the attack. Even though the regular printing dialogs are not displayed, the low-level processing of XML jobs (as shown above) continues to function. Similarly, uninstalling the printer drivers on the terminal server does not provide a countermeasure either.
Clients are advised to upgrade to the newest version by contacting Jetro Platforms.


Technicalities and Timeline

I conducted the research as an independent consultant for a client that was interested in assessing the risk of the print feature in the product. I've only tested the printing feature and not the entire product. The audit was entirely black-box.

Ultimately, the vulnerability found was straightforward. However the audit itself was quite challenging, requiring a complex setup of 5 virtual machines to mimic an enterprise deployment and plenty of code reverse-engineering.

The research was done using the 30-day evaluation version available from the company's website. All versions available for download were tested and found vulnerable. They are:
  • Jetro Cockpit Secure Browsing 4.3.3 (latest version at time of research)
  • Jetro Cockpit Secure Browsing 4.3.1 (released 2013-05-19)
Timeline
2014-01-02 Vendor contacted and informed about vulnerability.
2014-01-12 Vendor reported having informed all clients about vulnerability in an official email, and began upgrading customers with a new version.
2014-02-02 Coordinated disclosure after contacting vendor.


Final Thoughts

Interestingly, Jetro states having had its product reviewed and approved by several leading security consultancy companies. An endorsement by one such company can be found on many of Jetro's promotional materials. The actual report posted on their site states it was only a "design review with no actual security tests", however it still doesn't mention the possibility of this attack vector. This arguably gives customers a false sense of security as it seems the product is "tested and found secure". Details about the other audits were not found.

Thoroughly testing such products, especially black-box testing, is very time consuming and therefor expensive. An expense perhaps neither the company nor its clients wishes to bear. This raises interesting questions about the value of "overview" security reviews and their use as a promotional method for security products sales, and the surprising security risks introduced by security software.

All downloadable versions were tested and found vulnerable. The oldest version available for download (4.3.1) was released 2013-05-19, meaning customers were vulnerable for at least 8 months prior to this disclosure. However in its release notes it states "Print-jobs transfer, in previous COCKPIT versions, was accomplished in virtual channel." This makes it likely to assume that the vulnerability existed in previous versions of the product as well, perhaps going undetected for several years.
The idea of seamless remote browsing introduces plenty of tricky security problems that may prove difficult to solve. While this research focused only on the printing feature, further research might uncover other vulnerabilities in this, and other similar products.

Finally, I would like to commend Jetro's responsiveness, which was timely and honest.

Update (2014-24-02)
Vendor's Response

 Jetro Platforms requested I post their response on my blog:
As detailed in this post, contrary to the vendor's response users of the affected versions were, and still are exposed and are at real risk. The probability that an exploitation can occur in a real work environment is high. The vulnerability does not require an administrator user.

Before publishing the response, I contacted the vendor explaining the response is not accurate and does not portray the actual gravity of the issue. In response the vendor requested I publish the response as-is.

Judging from the response, it seems possible that users were not fully informed about the extent of the risks this vulnerability creates for them. This might cause users to delay upgrading, wrongly assuming they are not at any real risk. As stated, users in a normal production environment are at real risk, and should upgrade to the new version as soon as possible.

Users that wish to do so, may feel free to contact me about any questions regarding this vulnerability and its consequences.

As of this writing, the vendor has not issued a public announcement about the vulnerability on their website, and the latest version available for download is still vulnerable.

68 comments:

  1. Good Job :), And very nice written

    ReplyDelete
  2. The Vintage Wholesale Company The Vintage Wholesale Company.Walson Rockabilly are a vintage wholesale company who focus on vintage fashion wholesale. WalsonRockabilly Vintage Clothing wholesalers are the UK's leading,Shop wholesale vintage dress, cheap silk dress, vintage jewelry products from reliable vintage dress wholesalers on walsonrockabilly and get worldwide,We know wholesale vintage clothing. We're the only vintage clothing wholesaler that knows what it's like to be in your shoes,because we run stores ourselves.Always Vintage is a Wholesale Vintage Clothing Distributor. We offer more than ninety different categories of vintage clothing for you to choose from.
    homepage
    click here
    this website

    ReplyDelete
  3. You can bring a transformation into your office space with the aid of office work stations. The employees also procure a perfect working environment with the aid of modular furniture.

    ReplyDelete
  4. The Vintage Wholesale Company The Vintage Wholesale Company.Walson Rockabilly are a vintage wholesale company who focus on vintage fashion wholesale. WalsonRockabilly Vintage Clothing wholesalers are the UK's leading,Shop wholesale vintage dress, cheap silk dress, vintage jewelry products from reliable vintage dress wholesalers on walsonrockabilly and get worldwide,We know wholesale vintage clothing. We're the only vintage clothing wholesaler that knows what it's like to be in your shoes,because we run stores ourselves.Always Vintage is a Wholesale Vintage Clothing Distributor. We offer more than ninety different categories of vintage clothing for you to choose from.adult costume
    Halloween costume
    Sexy costume

    ReplyDelete
  5. The hottest sexy Halloween costumes for 2014 from WholesaleLingerieX.com. we ship from our warehouse.Wholesale Sexy Costumes, Low Price Sexy Halloween Costumes From China Top Suppliers.
    Wholesale Renaissance Costumes
    Wholesale Robin Hood Costumes
    Wholesale Sailor Costumes
    Wholesale School Girl Costumes
    Wholesale Secretary Costumes

    ReplyDelete
  6. The hottest sexy Halloween costumes for 2014 from WholesaleLingerieX.com. we ship from our warehouse.Wholesale Sexy Costumes, Low Price Sexy Halloween Costumes From China Top Suppliers.
    Wholesale Ladybug Costumes
    Wholesale Mermaid Costumes
    Wholesale Nurse Costumes
    Wholesale Oktoberfest Costumes
    Wholesale Pirate Costumes

    ReplyDelete
  7. I love the content that you have posted, I will stay in touch because I know I will always find this information very handy. Great blog! All kinds of neat stuff here, thanks for it.

    Info yang sangat menarik, Kalau ada yang susah lulus ujian lebih baik pelajari dahulu Soal Psikotes : Tes Potensi Akademik
    agar tahu bagaimana triknya. Atau coba Tes IQ di link berikut.

    Bagi yang mau ikutan Bisnis Afiliasi silahkan pelajari Tutorial : Membuat Landingpage Blogspot profesional.
    Jasa Backlink murah 50 Ribu

    ReplyDelete
  8. Wholesale Sexy Lingerie,High Quality!Low Price! Wholesale Leggings,Plus Size Corsets,Wholesale Halloween Costumes From China Suppliers LingeriePark.Wholesale Only,No Retail!Wholesale Lingerie
    Wholesale Corsets
    Wholesale Halloween Costumes
    Wholesale Costumes
    Wholesale Plus Size Corsets

    ReplyDelete
  9. The Vintage Wholesale Company The Vintage Wholesale Company.Walson Rockabilly are a vintage wholesale company who focus on vintage fashion wholesale. WalsonRockabilly Vintage Clothing wholesalers are the UK's leading,Shop wholesale vintage dress, cheap silk dress, vintage jewelry products from reliable vintage dress wholesalers on walsonrockabilly and get worldwide,We know wholesale vintage clothing. We're the only vintage clothing wholesaler that knows what it's like to be in your shoes,because we run stores ourselves.Always Vintage is a Wholesale Vintage Clothing Distributor. We offer more than ninety different categories of vintage clothing for you to choose from.1950's costumes
    5xl fancy dress costume men
    elmo costume plus size

    ReplyDelete
  10. Wholesale Sexy Lingerie,High Quality!Low Price! Wholesale Leggings,Plus Size Corsets,Wholesale Halloween Costumes From China Suppliers

    Wholesale China Lingerie

    Halloween Costumes Distributor

    WholesaleLingerieX

    Wholesale Sexy Lingerie

    Wholesale Corsets Tops

    ReplyDelete
  11. Experience the best sports online where in you can bet and win thousands of dollars and look for a safe websiteshttp://arenacyber.com http://bejojo888.66ghz.com/wp

    ReplyDelete
  12. I appreciate you and hopping for some more informative posts essay writers

    ReplyDelete
  13. There's nothing I can say but thank you for this useful information. Regards, http://seohandal.com/.

    ReplyDelete
  14. This blog is so nice to me. I will continue to come here again and again. Visit my link as well. Good luck
    cara menggugurkan kandungan

    ReplyDelete
  15. Upon receiving the file, the client will execute it assuming it's a PDF and that the default handler will kick in. Instead, being an EXE file, it will simply get executed
    Agen Sbobet | Judi online | Agen Domino Online

    ReplyDelete
  16. I love the content that you have posted, I will stay in touch because I know I will always find this information very handy. Great blog! All kinds of neat stuff here, thanks for it.


    Agen Poker | Agen Poker Online Terpercaya | Bandar Poker Online
    Poker Online Indonesia

    ReplyDelete
  17. because we run stores ourselves.Always Vintage is a Wholesale Vintage Clothing Distributor. We offer more than ninety different categories of vintage clothing for you to choose from. Agen Poker | Agen Poker Online Terpercaya | Bandar Togel Online
    Poker Online Indonesia

    ReplyDelete
  18. The Vintage Wholesale Company The Vintage Wholesale Company.Walson Rockabilly are a vintage wholesale company who focus on vintage fashion wholesale. WalsonRockabilly Vintage Clothing wholesalers are the UK's leading,Shop wholesale vintage dress, cheap silk dress, vintage jewelry products from reliable vintage dress wholesalers on walsonrockabilly and get worldwide

    Agen Poker | Agen Poker Online Terpercaya |
    Situs Poker Terpercaya | Poker Online Indonesia

    ReplyDelete
  19. The vendor has been notified and has responded swiftly. The company notified all their clients and is currently upgrading them to a new version patching the vulnerability. Clients that have not upgraded yet are advised to do so immediately as there is no known workaround. Agen Poker Online | Live Casino Online |
    Agen Bola Terpercaya

    ReplyDelete
  20. Currently the game comes with 60 levels in increasing difficulty. downloadnowfreethings.com What are common parameters for vmrun, the command-line utility that controls Fusion?

    ReplyDelete
  21. So, you need sure your iPhone Mail App be configure correctly. downlodable tv shows We help our consumers recharge their prepaid mobiles, DTH connection and Data cards.

    ReplyDelete
  22. Thanks for help this. I want to try. https://webarq.com/

    ReplyDelete
  23. With an evening coat and a white tie, anybody, even a stock broker, can gain a reputation for being civilized. download files This neat little app is so handy and easy to use that even grandpa can use it at home!

    ReplyDelete
  24. New Profile section where you can find your friends, listening history and saved playlists. download activation codes From Iceberg Reader: Ciara's Song Andre Norton Aspect February 15, 2001

    ReplyDelete
  25. Hi
    I read your post.this article was very effective and helpful to us. thanks for sharing this amazing article. I am resently
    posted at Corporate Bankruptcy Speak with affordable bankruptcy lawyers Worcester and Boston.
    Get support to file Chapter 7, Chapter 13 and corporate Bankruptcy.

    ReplyDelete
  26. Det r underbart tyst i Sookies huvud nr hon r med honom. downlodable freeware Using this custom e-reader, youre able to carry your favorite Attractions Magazine issues with you wherever you go.

    ReplyDelete
  27. this article is very nice. thanks for this . I will come back soon. my website is a educational website about jasa pelet. I think u can learn a lot from this..

    http://dukun-pelet-mahar-seikhlasnya.blogspot.co.id/2017/06/cara-pelet-wanita-paling-ampuh.html
    http://beritapelet.blogspot.com/2017/06/jasa-pelet-murah-mahar-setelah-berhasil.html
    https://mbahgewor.tumblr.com/post/162141315479/dukun-pelet-mahar-setelah-berhasil
    https://jasapeletku.wordpress.com/2017/06/15/paranormal-dengan-mahar-seikhlasnya/

    cara pelet wanita ampuh

    Jasa Pelet Murah Mahar Setelah Berhasil

    Dukun Pelet Mahar Setelah Berhasil


    paranormal dengan mahar seikhlasnya



    ReplyDelete
  28. Now picture, cleaning up after those space vessels. Find it here If you experience any problems, please email me and we will investigate the problem right away.

    ReplyDelete
  29. I really appreciate the kind of topics you post here. Thanks for sharing us a great information that is actually helpful. Good day! make my assignment

    ReplyDelete
  30. If you come home earlier, just come back to this menu and choose IN. express-touristik.ru The progress indicator shows you where you are in your presentation.

    ReplyDelete
  31. Thank you for taking the time and sharing this information with us. It was indeed very helpful and insightful while

    being straight forward and to the point.
    mcdonaldsgutscheine.net | startlr.com | saludlimpia.com

    ReplyDelete
  32. In the event that the data for the article is on the net, in productions in libraries or somebody some place thinks about it rest guaranteed you will get 100 percent unique articles free from any measure of copyright infringement.

    ReplyDelete
  33. I have had great luck with this app so far in finding delicious restaurants. downloadbestthingsonline.top Dont relax once youve finished the first level because there are plenty of other viruses on an infinite number of levels.

    ReplyDelete
  34. Too often there are unanticipated conditions requiring money instantly that are just out of your control.

    ReplyDelete
  35. Be thoughtful any time you Buy YouTube Views. It may be a fraud. Call us for assistance and information. how to get subscribers on youtube

    ReplyDelete
  36. The blog or and best that is extremely useful to keep I can share the ideas of the future as this is really what I was looking for, I am very comfortable and pleased to come here. Thank you very much. Autism treatment in homeopathy

    ReplyDelete
  37. You, the borrower get the cash you require without being rebuffed by a couple of mistakes from your past, the loan specialist get bit of brain. aaa1autotitleloans.com/chicago

    ReplyDelete
  38. Any individual would first take a gander at the most straightforward alternatives accessible to him, when searching for quick budgetary help. https://www.usapaydayloanstore.com/chicago

    ReplyDelete
  39. One such alternative might be approaching a companion or relative for a credit. Be that as it may, right off the bat, it may be humiliating to uncover your budgetary status to a known individual.https://www.usapaydayloanstore.com/chicago

    ReplyDelete
  40. Save up to 4 custom recordings on the iPad and 2 on the iPhone and iPod Touch. http://pandoricka.ru Select a contact from your address book and the key is stored as a note.

    ReplyDelete
  41. Unique target identification Touch drag scheme for greatest accuracy since your finger doesn't hide what you are trying to identify. downloadfastplease.xyz They will grow to have both a sense of confidence and a sense of belonging.

    ReplyDelete
  42. Satisfaction is at your fingertips with Logic Bulbs. bestdownloadfiles.pro Faces, cars, furniture - a seemingly endless parade of wispy representations of everyday objects.

    ReplyDelete
  43. The program offer more than ingredients and directions for recipes. downloadgtasanandreas.gdn In head slicing mode, pan with one finger to move the slicing plane.

    ReplyDelete
  44. Make silly face art using stickers found in the story. Visit my site From James Associates: Camp, geocache, off-road, hike, and bike West Virginia in style.

    ReplyDelete
  45. This blog is so nice to me. I will continue to come here again and again. Visit my link as well. Good luck
    obat aborsi
    cara menggugurkan kandungan

    ReplyDelete
  46. When you need something to do, scroll to the Search feature and tap the appropriate #tags (or enter a group of #tags for a granular search). http://mydownloadwarezdatabase.us Remember to check the help for hints and tips on network quiz hosting.

    ReplyDelete
  47. You should write about the model/version on the blog. You can expose it's perfect. Your blog examination should widen your readership.I am really grateful for your blog post. I find a lot of approaches after visiting your post. Great work..looking for affordable and trusted hosting?come and visit situs dewa poker online 2018

    ReplyDelete
  48. No auto-filling of file information, however, which I do like to use. download torrent - Mark your favorite disease names and descriptions, and view them in the Favorites area.

    ReplyDelete