Feeds

'Secure' Wyse thin clients vulnerable to remote exploit bugs

More secure As susceptible as PCs

  • alert
  • submit to reddit

High performance access to file storage

A popular brand of thin client device used by nuclear labs, military contractors and Fortune 100 companies is susceptible to exploits that put entire fleets of the machines in the control of online attackers.

Wyse Technologies, maker of the slimmed-down computing devices, touts them as being as secure, "or better" than PCs because there are no hard drives to get corrupted by malware or mechanical failure. It even argues that installing anti-virus software on the devices may be "overkill."

But according to Kevin Finisterre, the founder of security research firm SNOSoft, the devices are shipped with software that is vulnerable to attacks over the internet. Once compromised, the devices can be controlled remotely, allowing an attacker to change their configuration settings and do virtually anything someone sitting physically in front of the machine could do.

"I can take a machine out of the box, plug it in, and it's instantly exploitable," Finisterre, who has written proof-of-concept exploit code, told The Register. "There's no interaction on the user's part at all."

What's more, a security bug in Wyse software used to administer the terminals makes it trivial to take over the backend server that runs the program, Finisterre has found. He has written a Ruby proof-of-concept script that exploits the vulnerability in the software, known as the WDM or Wyse Device Manager.

All that's required is that the attacker know the machine's IP address. Once the script runs, it gives the attacker a command shell with full administrative privileges.

Wyse officials say they have reviewed Finisterre's code and so far have been unable to make it remotely execute malicious code in their labs. Still, they acknowledge that the code does cause machines running the Wyse software to crash, and have vowed to fix the bugs that are responsible.

"We take this very, very seriously and we're going to make sure that we completely follow up on what Kevin has reported as well," said Jeff McNaught, chief marketing and strategy officer at Wyse. "It's important for companies like Kevin's to be able to identify ways where we can all improve our products, so we certainly are hats off to him in that regard."

McNaught says he is unaware of any attacks that have targeted the vulnerability.

Finisterre, whose SNOSoft outfit is the research arm of penetration testing firm Netragard, said he developed the code in his bedroom lab over the past couple months using a VMware image with attributes that are almost surely different from those being used by Wyse.

The script targeting the WDM works only when the program is running on Windows 2000 machines. With extra work, he says it would be possible to exploit the bug on machines running Windows Vista or other more recent operating systems, using so-called heap spraying or similar hacking techniques. Running the exploit requires nothing more than providing the IP address of the server that runs the WDM software.

His code targeting the thin clients themselves attacks a small application that acts as a beacon that searchers the attached network for servers running the WDM. It specifically targets the hagent.exe file for terminals running the embedded version of Windows XP, but he said it would be trivial to make the attack work on the agent contained in Linux images because the underlying vulnerability is present on both programs.

Both attacks target buffer overflow errors in code that runs by default on either the Wyse terminals or in the WDM. They are significant, given Wyse's customer portfolio, which according to marketing material includes the Crocker Nuclear Laboratory, the US Marine Corps Air-Ground Combat Center at Twentynine Palms and the Southern Arizona Veterans Administration Health Care System. Half of the world's top 100 corporations use Wyse products, according to this PowerPoint presentation hosted on the website of Wyse partner Citrix.

Few Wyse brochures get published that don't extol the security superiority of thin clients compared with traditional PCs. Similar boasting is common in cloud computing circles, where marketers would have us believe the risks of buggy code have effectively been eliminated.

But like a similar case from March, when a coding error by a single software-as-a-service provider exposed numerous customers to potentially crippling attacks, the episode shows that the model at best merely moves vulnerabilities upstream, rather than stamping them out.

For all Wyse's assurances about security, Finisterre said he worked since late May to find an appropriate company employee to contact about the vulnerabilities. Even after seeking help from the US CERT, or Computer Emergency Response Team, he got no reply to any of the emails he sent. Wyse employees answered his queries only after The Register asked a company spokeswoman to comment for this article.

"That's a shortcoming on our part," said McNaught, who went on to say the company is taking steps to make sure CERT personnel know the proper way for researchers to notify the company of security bugs. "That conversation has already been started by our CTO." ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.