NX Web Companion Spoofing Arbitrary Code Execution Vulnerability



# Vuln Title: NX Web Companion Spoofing Arbitrary Code Execution
# Vulnerability
# Date: 25.01.2012
# Author: otr
# Software Link: http://www.nomachine.com/documents/plugin/install.php
# Version: <= 3.x
# Tested on: Linux, Windows, Mac OS X x86, Mac OS X PPC, Solaris
# CVE : None, yet

Summary

The No Machine NX Web Companion is a Java applet that allows to
download and update the No Machine software from a server. The No
Machine software is used to remotely access computers. The NX Web
Companion is usually used by enterprises to easily deploy a cross
platform client for accessing remote machines.

Context

For security purposes the NX Web Companion Java applet jar file is
often code signed. Signed Java applets are allowed to run
arbitrary code (outside of the Java sandbox) on the client system
if the user confirms that he trusts the certificate the code was
signed with. If a company decides to use the NX Web Companion it
is likely to not only self-sign. Therefore it would get a CA
signed certificate for the Web Companion. The defaults when
accepting to such a signed Java applet are to accept to run the
applet in question and trust the publisher forever. Meaning that
any time the user browses to a page containg that applet, the
applet code is executed automatically outside of the Java sandbox.

The NX Web Companion spoofing vulnerability now, in the worst
case, allows to execute arbitrary code on the client abusing
the trust the user once placed into the signed jar file.

Details

The java applet nxapplet.jar downloads a file called
client.zip from a location that can be controlled by the
attacker using a fake web site using the parameters passed
to the applet (SiteUrl, RedirectUrl). The applet can be
tricked into thinking that a new version is available by
modifing the *ClientVersion parameters. After user
confirmation, the applets then downloads a file client.zip
from the location provided in SiteUrl. client.zip is an
archive that contains a platform dependend executable that
is _not_ code signed and therefore may be manipulated by an
attacker to run arbitrary code abusing the trust placed into
the nxapplet.jar certificate.

The client.zip file actually contains a file called "client" that is
lzma compressed. The file "client" itself is a zip archive that
contains the platform dependend executable which is called:

For Windows: nxclient.exe
For Linux: bin/nxclient
For OS X: bin/nxclient.app/Contents/MacOS/
For Solaris: bin/nxclient

Report Timeline

2011-12-12: Vendor Notification
2011-12-15: Vendor Response
2012-01-16: Vendor agrees to disclosure
2012-01-25: Public Disclosure




--