what you don't know can hurt you

NX Web Companion Spoofing Arbitrary Code Execution

NX Web Companion Spoofing Arbitrary Code Execution
Posted Jan 25, 2012
Authored by otr

NX Web Companion suffers from a spoofing vulnerability that may allow for arbitrary code execution.

tags | advisory, web, arbitrary, spoof, code execution
MD5 | 217d5cb4dac721dbdb33b56bf020535d

NX Web Companion Spoofing Arbitrary Code Execution

Change Mirror Download
# Vuln Title: NX Web Companion Spoofing Arbitrary Code Execution
# Vulnerability
# Date: 25.01.2012
# Author: otr
# Software Link: http://www.nomachine.com/documents/plugin/install.php
# Version: <= 3.x
# Tested on: Linux, Windows, Mac OS X x86, Mac OS X PPC, Solaris
# CVE : None, yet

Summary

The No Machine NX Web Companion is a Java applet that allows to
download and update the No Machine software from a server. The No
Machine software is used to remotely access computers. The NX Web
Companion is usually used by enterprises to easily deploy a cross
platform client for accessing remote machines.

Context

For security purposes the NX Web Companion Java applet jar file is
often code signed. Signed Java applets are allowed to run
arbitrary code (outside of the Java sandbox) on the client system
if the user confirms that he trusts the certificate the code was
signed with. If a company decides to use the NX Web Companion it
is likely to not only self-sign. Therefore it would get a CA
signed certificate for the Web Companion. The defaults when
accepting to such a signed Java applet are to accept to run the
applet in question and trust the publisher forever. Meaning that
any time the user browses to a page containg that applet, the
applet code is executed automatically outside of the Java sandbox.

The NX Web Companion spoofing vulnerability now, in the worst
case, allows to execute arbitrary code on the client abusing
the trust the user once placed into the signed jar file.

Details

The java applet nxapplet.jar downloads a file called
client.zip from a location that can be controlled by the
attacker using a fake web site using the parameters passed
to the applet (SiteUrl, RedirectUrl). The applet can be
tricked into thinking that a new version is available by
modifing the *ClientVersion parameters. After user
confirmation, the applets then downloads a file client.zip
from the location provided in SiteUrl. client.zip is an
archive that contains a platform dependend executable that
is _not_ code signed and therefore may be manipulated by an
attacker to run arbitrary code abusing the trust placed into
the nxapplet.jar certificate.

The client.zip file actually contains a file called "client" that is
lzma compressed. The file "client" itself is a zip archive that
contains the platform dependend executable which is called:

For Windows: nxclient.exe
For Linux: bin/nxclient
For OS X: bin/nxclient.app/Contents/MacOS/
For Solaris: bin/nxclient

Report Timeline

2011-12-12: Vendor Notification
2011-12-15: Vendor Response
2012-01-16: Vendor agrees to disclosure
2012-01-25: Public Disclosure




--

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    2 Files
  • 2
    Mar 2nd
    18 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    12 Files
  • 5
    Mar 5th
    19 Files
  • 6
    Mar 6th
    8 Files
  • 7
    Mar 7th
    1 Files
  • 8
    Mar 8th
    1 Files
  • 9
    Mar 9th
    11 Files
  • 10
    Mar 10th
    15 Files
  • 11
    Mar 11th
    9 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    13 Files
  • 14
    Mar 14th
    10 Files
  • 15
    Mar 15th
    13 Files
  • 16
    Mar 16th
    27 Files
  • 17
    Mar 17th
    15 Files
  • 18
    Mar 18th
    23 Files
  • 19
    Mar 19th
    25 Files
  • 20
    Mar 20th
    10 Files
  • 21
    Mar 21st
    6 Files
  • 22
    Mar 22nd
    1 Files
  • 23
    Mar 23rd
    22 Files
  • 24
    Mar 24th
    15 Files
  • 25
    Mar 25th
    22 Files
  • 26
    Mar 26th
    20 Files
  • 27
    Mar 27th
    15 Files
  • 28
    Mar 28th
    10 Files
  • 29
    Mar 29th
    1 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close