-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 == Description == MobaXTerm (http://www.mobatek.net/), a Windows SSH/RDP/VNC/etc. client, includes a functionality to open remote sessions via a so-called "jump host" or "SSH gateway". In the end this creates a "SSH Port Forward" by binding a local port on the machine running MobaXTerm to forward all traffic to the specified destination host via the jump host through a SSH tunnel (-L option in OpenSSH), and that is then used to open the final remote session to the target machine. MobaXTerm implementations before 8.5 however do not bind the local socket to the local loopback interface (127.0.0.1) to allow only processes from the local machine to use the tunnel, but instead bind the socket to "any" interface on the local machine (0.0.0.0). This results in a gateway for anybody who is able to access the machine running the MobaXTerm application to tunnel through to the target machine. This tunnel is opened the first time a session using this "jump host" is openend, and stays open even after the session was closed, as long as the MobaXterm is running (eventually). The vulnerability is present in the default configuration of the MobaXTerm application, and I could not find any option or setting to change this behaviour in affected versions. Version 8.5, which was released in December 2015, fixes this vulnerability by binding the local socket to the loopback interface. Since MobaXTerm is typically used for system administration, and "jump hosts" are typically used to work in networks that are divided by firewalls to separate network zones, this vulnerability allows an attacker to cross those firewalls and start attacks against the target hosts e.g. via bruteforcing or reusing credentials, pass-the-hash or any other technique. == Proof of concept == Display the currently used ports (netstat -anb) while having a MobaXTerm RDP session opened via a "jump host", or connect from a third host to the gateway port on the machine where MobaXTerm is running on. == Solution == MobaXTerm 8.5 fixes the vulnerability, for older versions access to tunnel ports can be blocked via a local firewall. == Timeline == 2015-11-23: vulnerability reported to vendor (MobaTek) and Cert/CC [VU#965520] 2015-11-25: first response from vendor 2015-12-19: updated version released 2016-01-08: public disclosure - - - -- Thomas Bleier | Hauptplatz 16, A-7374 Weingraben, Austria E-Mail: thomas@xxxxxxxxx | Phone: +43-664-3400559 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWj4YQAAoJEL5usxLqBS4yYAkP/ibotCfCXZtpO7e6jbciglYd Jl6V3+Rz1oqaTsWkPs7eIOE4Q63KWwCsKmz5YkYxnAi9diWggCtc/Bd4LcTBhKYR 5jcrqEIQqZriMQAV2Kod7kJ80XUnA9vsfTezjKxoXLXxFjrirJqmJeR9ZsDXk5B6 W82kt+SbRTvLawDKZUWE8d7j6XtyYlInbFpycBDR/nQPEHCTSXNIYIdewsv3NVA5 4AMThFJldP0WsAt1vxa7vARatTXNaN2ec3sh9171RtSqg11oREPtBbu3MeFA0Vjh ezcD8LUMKG6i73cvbcksfVogQvQGoOb7zGwPKEomvV9Eco0vLhZS/ZkU26o6jydP I6VM6yNRzyiqCCjR5pWnLPHS5VCKjF2kiBi0x0a7kLgpV52agf/65nDodIc/zLpT cWT6uB1Ha1MZQIF3KytX27joZrNm1rOqLEfy1xXgujOrsHkshTH29j7sQeuyM5l7 EQg0DbnmG5G8cmFcy+laYEhTLalFheeYEiNrWRZHSCDZh16JJVTb+1YuG8fcKzeh VvOYFIIfIwmeeiyZteq0kmC4pBFzBuy8D43GzOzFvLZnee8axbhNRLmAdhPFB4C1 TC6S8JP3rhXFb4ct3CbYnP450XZEw4sdktnDZ/lZ9ZyAadcvtOw6D+v3fMp1V+Sa 0xD1K5shhwGn59H8yf6K =KhKM -----END PGP SIGNATURE-----