Feeds

'Secure' Wyse thin clients vulnerable to remote exploit bugs

More secure As susceptible as PCs

  • alert
  • submit to reddit

Protecting against web application threats using SSL

A popular brand of thin client device used by nuclear labs, military contractors and Fortune 100 companies is susceptible to exploits that put entire fleets of the machines in the control of online attackers.

Wyse Technologies, maker of the slimmed-down computing devices, touts them as being as secure, "or better" than PCs because there are no hard drives to get corrupted by malware or mechanical failure. It even argues that installing anti-virus software on the devices may be "overkill."

But according to Kevin Finisterre, the founder of security research firm SNOSoft, the devices are shipped with software that is vulnerable to attacks over the internet. Once compromised, the devices can be controlled remotely, allowing an attacker to change their configuration settings and do virtually anything someone sitting physically in front of the machine could do.

"I can take a machine out of the box, plug it in, and it's instantly exploitable," Finisterre, who has written proof-of-concept exploit code, told The Register. "There's no interaction on the user's part at all."

What's more, a security bug in Wyse software used to administer the terminals makes it trivial to take over the backend server that runs the program, Finisterre has found. He has written a Ruby proof-of-concept script that exploits the vulnerability in the software, known as the WDM or Wyse Device Manager.

All that's required is that the attacker know the machine's IP address. Once the script runs, it gives the attacker a command shell with full administrative privileges.

Wyse officials say they have reviewed Finisterre's code and so far have been unable to make it remotely execute malicious code in their labs. Still, they acknowledge that the code does cause machines running the Wyse software to crash, and have vowed to fix the bugs that are responsible.

"We take this very, very seriously and we're going to make sure that we completely follow up on what Kevin has reported as well," said Jeff McNaught, chief marketing and strategy officer at Wyse. "It's important for companies like Kevin's to be able to identify ways where we can all improve our products, so we certainly are hats off to him in that regard."

McNaught says he is unaware of any attacks that have targeted the vulnerability.

Finisterre, whose SNOSoft outfit is the research arm of penetration testing firm Netragard, said he developed the code in his bedroom lab over the past couple months using a VMware image with attributes that are almost surely different from those being used by Wyse.

The script targeting the WDM works only when the program is running on Windows 2000 machines. With extra work, he says it would be possible to exploit the bug on machines running Windows Vista or other more recent operating systems, using so-called heap spraying or similar hacking techniques. Running the exploit requires nothing more than providing the IP address of the server that runs the WDM software.

His code targeting the thin clients themselves attacks a small application that acts as a beacon that searchers the attached network for servers running the WDM. It specifically targets the hagent.exe file for terminals running the embedded version of Windows XP, but he said it would be trivial to make the attack work on the agent contained in Linux images because the underlying vulnerability is present on both programs.

Both attacks target buffer overflow errors in code that runs by default on either the Wyse terminals or in the WDM. They are significant, given Wyse's customer portfolio, which according to marketing material includes the Crocker Nuclear Laboratory, the US Marine Corps Air-Ground Combat Center at Twentynine Palms and the Southern Arizona Veterans Administration Health Care System. Half of the world's top 100 corporations use Wyse products, according to this PowerPoint presentation hosted on the website of Wyse partner Citrix.

Few Wyse brochures get published that don't extol the security superiority of thin clients compared with traditional PCs. Similar boasting is common in cloud computing circles, where marketers would have us believe the risks of buggy code have effectively been eliminated.

But like a similar case from March, when a coding error by a single software-as-a-service provider exposed numerous customers to potentially crippling attacks, the episode shows that the model at best merely moves vulnerabilities upstream, rather than stamping them out.

For all Wyse's assurances about security, Finisterre said he worked since late May to find an appropriate company employee to contact about the vulnerabilities. Even after seeking help from the US CERT, or Computer Emergency Response Team, he got no reply to any of the emails he sent. Wyse employees answered his queries only after The Register asked a company spokeswoman to comment for this article.

"That's a shortcoming on our part," said McNaught, who went on to say the company is taking steps to make sure CERT personnel know the proper way for researchers to notify the company of security bugs. "That conversation has already been started by our CTO." ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.