exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

NX Web Companion Spoofing Arbitrary Code Execution

NX Web Companion Spoofing Arbitrary Code Execution
Posted Jan 25, 2012
Authored by otr

NX Web Companion suffers from a spoofing vulnerability that may allow for arbitrary code execution.

tags | advisory, web, arbitrary, spoof, code execution
SHA-256 | c6dbb4c255fa34d27c7f911a58e314d1f1d2ecc2c658c6db8ccba523adf5f97b

NX Web Companion Spoofing Arbitrary Code Execution

Change Mirror Download
# Vuln Title: NX Web Companion Spoofing Arbitrary Code Execution
# Vulnerability
# Date: 25.01.2012
# Author: otr
# Software Link: http://www.nomachine.com/documents/plugin/install.php
# Version: <= 3.x
# Tested on: Linux, Windows, Mac OS X x86, Mac OS X PPC, Solaris
# CVE : None, yet

Summary

The No Machine NX Web Companion is a Java applet that allows to
download and update the No Machine software from a server. The No
Machine software is used to remotely access computers. The NX Web
Companion is usually used by enterprises to easily deploy a cross
platform client for accessing remote machines.

Context

For security purposes the NX Web Companion Java applet jar file is
often code signed. Signed Java applets are allowed to run
arbitrary code (outside of the Java sandbox) on the client system
if the user confirms that he trusts the certificate the code was
signed with. If a company decides to use the NX Web Companion it
is likely to not only self-sign. Therefore it would get a CA
signed certificate for the Web Companion. The defaults when
accepting to such a signed Java applet are to accept to run the
applet in question and trust the publisher forever. Meaning that
any time the user browses to a page containg that applet, the
applet code is executed automatically outside of the Java sandbox.

The NX Web Companion spoofing vulnerability now, in the worst
case, allows to execute arbitrary code on the client abusing
the trust the user once placed into the signed jar file.

Details

The java applet nxapplet.jar downloads a file called
client.zip from a location that can be controlled by the
attacker using a fake web site using the parameters passed
to the applet (SiteUrl, RedirectUrl). The applet can be
tricked into thinking that a new version is available by
modifing the *ClientVersion parameters. After user
confirmation, the applets then downloads a file client.zip
from the location provided in SiteUrl. client.zip is an
archive that contains a platform dependend executable that
is _not_ code signed and therefore may be manipulated by an
attacker to run arbitrary code abusing the trust placed into
the nxapplet.jar certificate.

The client.zip file actually contains a file called "client" that is
lzma compressed. The file "client" itself is a zip archive that
contains the platform dependend executable which is called:

For Windows: nxclient.exe
For Linux: bin/nxclient
For OS X: bin/nxclient.app/Contents/MacOS/
For Solaris: bin/nxclient

Report Timeline

2011-12-12: Vendor Notification
2011-12-15: Vendor Response
2012-01-16: Vendor agrees to disclosure
2012-01-25: Public Disclosure




--
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    11 Files
  • 8
    Dec 8th
    36 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close