'Secure' Wyse thin clients vulnerable to remote exploit bugs

A popular brand of thin client device used by nuclear labs, military contractors and Fortune 100 companies is susceptible to exploits that put entire fleets of the machines in the control of online attackers.

Wyse Technologies, maker of the slimmed-down computing devices, touts them as being as secure, "or better" than PCs because there are no hard drives to get corrupted by malware or mechanical failure. It even argues that installing anti-virus software on the devices may be "overkill."

But according to Kevin Finisterre, the founder of security research firm SNOSoft, the devices are shipped with software that is vulnerable to attacks over the internet. Once compromised, the devices can be controlled remotely, allowing an attacker to change their configuration settings and do virtually anything someone sitting physically in front of the machine could do.

"I can take a machine out of the box, plug it in, and it's instantly exploitable," Finisterre, who has written proof-of-concept exploit code, told The Register. "There's no interaction on the user's part at all."

What's more, a security bug in Wyse software used to administer the terminals makes it trivial to take over the backend server that runs the program, Finisterre has found. He has written a Ruby proof-of-concept script that exploits the vulnerability in the software, known as the WDM or Wyse Device Manager.

All that's required is that the attacker know the machine's IP address. Once the script runs, it gives the attacker a command shell with full administrative privileges.

Wyse officials say they have reviewed Finisterre's code and so far have been unable to make it remotely execute malicious code in their labs. Still, they acknowledge that the code does cause machines running the Wyse software to crash, and have vowed to fix the bugs that are responsible.

"We take this very, very seriously and we're going to make sure that we completely follow up on what Kevin has reported as well," said Jeff McNaught, chief marketing and strategy officer at Wyse. "It's important for companies like Kevin's to be able to identify ways where we can all improve our products, so we certainly are hats off to him in that regard."

McNaught says he is unaware of any attacks that have targeted the vulnerability.

Finisterre, whose SNOSoft outfit is the research arm of penetration testing firm Netragard, said he developed the code in his bedroom lab over the past couple months using a VMware image with attributes that are almost surely different from those being used by Wyse.

The script targeting the WDM works only when the program is running on Windows 2000 machines. With extra work, he says it would be possible to exploit the bug on machines running Windows Vista or other more recent operating systems, using so-called heap spraying or similar hacking techniques. Running the exploit requires nothing more than providing the IP address of the server that runs the WDM software.

His code targeting the thin clients themselves attacks a small application that acts as a beacon that searchers the attached network for servers running the WDM. It specifically targets the hagent.exe file for terminals running the embedded version of Windows XP, but he said it would be trivial to make the attack work on the agent contained in Linux images because the underlying vulnerability is present on both programs.

Both attacks target buffer overflow errors in code that runs by default on either the Wyse terminals or in the WDM. They are significant, given Wyse's customer portfolio, which according to marketing material includes the Crocker Nuclear Laboratory, the US Marine Corps Air-Ground Combat Center at Twentynine Palms and the Southern Arizona Veterans Administration Health Care System. Half of the world's top 100 corporations use Wyse products, according to this PowerPoint presentation hosted on the website of Wyse partner Citrix.

Few Wyse brochures get published that don't extol the security superiority of thin clients compared with traditional PCs. Similar boasting is common in cloud computing circles, where marketers would have us believe the risks of buggy code have effectively been eliminated.

But like a similar case from March, when a coding error by a single software-as-a-service provider exposed numerous customers to potentially crippling attacks, the episode shows that the model at best merely moves vulnerabilities upstream, rather than stamping them out.

For all Wyse's assurances about security, Finisterre said he worked since late May to find an appropriate company employee to contact about the vulnerabilities. Even after seeking help from the US CERT, or Computer Emergency Response Team, he got no reply to any of the emails he sent. Wyse employees answered his queries only after The Register asked a company spokeswoman to comment for this article.

"That's a shortcoming on our part," said McNaught, who went on to say the company is taking steps to make sure CERT personnel know the proper way for researchers to notify the company of security bugs. "That conversation has already been started by our CTO." ®