Feeds

'Secure' Wyse thin clients vulnerable to remote exploit bugs

More secure As susceptible as PCs

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

A popular brand of thin client device used by nuclear labs, military contractors and Fortune 100 companies is susceptible to exploits that put entire fleets of the machines in the control of online attackers.

Wyse Technologies, maker of the slimmed-down computing devices, touts them as being as secure, "or better" than PCs because there are no hard drives to get corrupted by malware or mechanical failure. It even argues that installing anti-virus software on the devices may be "overkill."

But according to Kevin Finisterre, the founder of security research firm SNOSoft, the devices are shipped with software that is vulnerable to attacks over the internet. Once compromised, the devices can be controlled remotely, allowing an attacker to change their configuration settings and do virtually anything someone sitting physically in front of the machine could do.

"I can take a machine out of the box, plug it in, and it's instantly exploitable," Finisterre, who has written proof-of-concept exploit code, told The Register. "There's no interaction on the user's part at all."

What's more, a security bug in Wyse software used to administer the terminals makes it trivial to take over the backend server that runs the program, Finisterre has found. He has written a Ruby proof-of-concept script that exploits the vulnerability in the software, known as the WDM or Wyse Device Manager.

All that's required is that the attacker know the machine's IP address. Once the script runs, it gives the attacker a command shell with full administrative privileges.

Wyse officials say they have reviewed Finisterre's code and so far have been unable to make it remotely execute malicious code in their labs. Still, they acknowledge that the code does cause machines running the Wyse software to crash, and have vowed to fix the bugs that are responsible.

"We take this very, very seriously and we're going to make sure that we completely follow up on what Kevin has reported as well," said Jeff McNaught, chief marketing and strategy officer at Wyse. "It's important for companies like Kevin's to be able to identify ways where we can all improve our products, so we certainly are hats off to him in that regard."

McNaught says he is unaware of any attacks that have targeted the vulnerability.

Finisterre, whose SNOSoft outfit is the research arm of penetration testing firm Netragard, said he developed the code in his bedroom lab over the past couple months using a VMware image with attributes that are almost surely different from those being used by Wyse.

The script targeting the WDM works only when the program is running on Windows 2000 machines. With extra work, he says it would be possible to exploit the bug on machines running Windows Vista or other more recent operating systems, using so-called heap spraying or similar hacking techniques. Running the exploit requires nothing more than providing the IP address of the server that runs the WDM software.

His code targeting the thin clients themselves attacks a small application that acts as a beacon that searchers the attached network for servers running the WDM. It specifically targets the hagent.exe file for terminals running the embedded version of Windows XP, but he said it would be trivial to make the attack work on the agent contained in Linux images because the underlying vulnerability is present on both programs.

Both attacks target buffer overflow errors in code that runs by default on either the Wyse terminals or in the WDM. They are significant, given Wyse's customer portfolio, which according to marketing material includes the Crocker Nuclear Laboratory, the US Marine Corps Air-Ground Combat Center at Twentynine Palms and the Southern Arizona Veterans Administration Health Care System. Half of the world's top 100 corporations use Wyse products, according to this PowerPoint presentation hosted on the website of Wyse partner Citrix.

Few Wyse brochures get published that don't extol the security superiority of thin clients compared with traditional PCs. Similar boasting is common in cloud computing circles, where marketers would have us believe the risks of buggy code have effectively been eliminated.

But like a similar case from March, when a coding error by a single software-as-a-service provider exposed numerous customers to potentially crippling attacks, the episode shows that the model at best merely moves vulnerabilities upstream, rather than stamping them out.

For all Wyse's assurances about security, Finisterre said he worked since late May to find an appropriate company employee to contact about the vulnerabilities. Even after seeking help from the US CERT, or Computer Emergency Response Team, he got no reply to any of the emails he sent. Wyse employees answered his queries only after The Register asked a company spokeswoman to comment for this article.

"That's a shortcoming on our part," said McNaught, who went on to say the company is taking steps to make sure CERT personnel know the proper way for researchers to notify the company of security bugs. "That conversation has already been started by our CTO." ®

Security for virtualized datacentres

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.