Feeds

'Secure' Wyse thin clients vulnerable to remote exploit bugs

More secure As susceptible as PCs

  • alert
  • submit to reddit

SANS - Survey on application security programs

A popular brand of thin client device used by nuclear labs, military contractors and Fortune 100 companies is susceptible to exploits that put entire fleets of the machines in the control of online attackers.

Wyse Technologies, maker of the slimmed-down computing devices, touts them as being as secure, "or better" than PCs because there are no hard drives to get corrupted by malware or mechanical failure. It even argues that installing anti-virus software on the devices may be "overkill."

But according to Kevin Finisterre, the founder of security research firm SNOSoft, the devices are shipped with software that is vulnerable to attacks over the internet. Once compromised, the devices can be controlled remotely, allowing an attacker to change their configuration settings and do virtually anything someone sitting physically in front of the machine could do.

"I can take a machine out of the box, plug it in, and it's instantly exploitable," Finisterre, who has written proof-of-concept exploit code, told The Register. "There's no interaction on the user's part at all."

What's more, a security bug in Wyse software used to administer the terminals makes it trivial to take over the backend server that runs the program, Finisterre has found. He has written a Ruby proof-of-concept script that exploits the vulnerability in the software, known as the WDM or Wyse Device Manager.

All that's required is that the attacker know the machine's IP address. Once the script runs, it gives the attacker a command shell with full administrative privileges.

Wyse officials say they have reviewed Finisterre's code and so far have been unable to make it remotely execute malicious code in their labs. Still, they acknowledge that the code does cause machines running the Wyse software to crash, and have vowed to fix the bugs that are responsible.

"We take this very, very seriously and we're going to make sure that we completely follow up on what Kevin has reported as well," said Jeff McNaught, chief marketing and strategy officer at Wyse. "It's important for companies like Kevin's to be able to identify ways where we can all improve our products, so we certainly are hats off to him in that regard."

McNaught says he is unaware of any attacks that have targeted the vulnerability.

Finisterre, whose SNOSoft outfit is the research arm of penetration testing firm Netragard, said he developed the code in his bedroom lab over the past couple months using a VMware image with attributes that are almost surely different from those being used by Wyse.

The script targeting the WDM works only when the program is running on Windows 2000 machines. With extra work, he says it would be possible to exploit the bug on machines running Windows Vista or other more recent operating systems, using so-called heap spraying or similar hacking techniques. Running the exploit requires nothing more than providing the IP address of the server that runs the WDM software.

His code targeting the thin clients themselves attacks a small application that acts as a beacon that searchers the attached network for servers running the WDM. It specifically targets the hagent.exe file for terminals running the embedded version of Windows XP, but he said it would be trivial to make the attack work on the agent contained in Linux images because the underlying vulnerability is present on both programs.

Both attacks target buffer overflow errors in code that runs by default on either the Wyse terminals or in the WDM. They are significant, given Wyse's customer portfolio, which according to marketing material includes the Crocker Nuclear Laboratory, the US Marine Corps Air-Ground Combat Center at Twentynine Palms and the Southern Arizona Veterans Administration Health Care System. Half of the world's top 100 corporations use Wyse products, according to this PowerPoint presentation hosted on the website of Wyse partner Citrix.

Few Wyse brochures get published that don't extol the security superiority of thin clients compared with traditional PCs. Similar boasting is common in cloud computing circles, where marketers would have us believe the risks of buggy code have effectively been eliminated.

But like a similar case from March, when a coding error by a single software-as-a-service provider exposed numerous customers to potentially crippling attacks, the episode shows that the model at best merely moves vulnerabilities upstream, rather than stamping them out.

For all Wyse's assurances about security, Finisterre said he worked since late May to find an appropriate company employee to contact about the vulnerabilities. Even after seeking help from the US CERT, or Computer Emergency Response Team, he got no reply to any of the emails he sent. Wyse employees answered his queries only after The Register asked a company spokeswoman to comment for this article.

"That's a shortcoming on our part," said McNaught, who went on to say the company is taking steps to make sure CERT personnel know the proper way for researchers to notify the company of security bugs. "That conversation has already been started by our CTO." ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.