Advisory: WebClientPrint Processor 2.0: Unauthorised Proxy Modification RedTeam Pentesting discovered that attackers can configure a proxy host and port to be used when fetching print jobs with WebClientPrint Processor (WCPP). This proxy setting may be distributed via specially crafted websites and is set without any user interaction as soon as the website is accessed. ### Details - Product: Neodynamic WebClientPrint Processor - Affected Versions: 2.0.15.109 (Microsoft Windows) - Fixed Versions: \>= 2.0.15.910 - Vulnerability Type: Man-in-the-Middle - Security Risk: medium - Vendor URL: `http://www.neodynamic.com/` - Vendor Status: fixed version released - Advisory URL: `https://www.redteam-pentesting.de/advisories/rt-sa-2015-010` - Advisory Status: published - CVE: GENERIC-MAP-NOMATCH - CVE URL: `https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH` ### Introduction Neodynamic's WebClientPrint Processor is a client-side application, which allows server-side applications to print documents on a client's printer without user interaction, bypassing the browser's print functionality. The server-side application may be written in ASP.NET or PHP while on the client-side multiple platforms and browsers are supported. "Send raw data, text and native commands to client printers without showing or displaying any print dialog box!" (Neodynamic's website) ### More Details Upon installation under Microsoft Windows, WCPP registers itself as a handler for the "webclientprint" URL scheme. Thus, any URL starting with "webclientprint:" is handled by WCPP. For example, entering `webclientprint:-about` in the URL bar of a browser opens the about box of WCPP. During RedTeam Pentesting's analysis of WCPP it was determined that WCPP ignores the system proxy configuration and by default tries to fetch print jobs directly, bypassing a proxy potentially configured in the system. WCPP can however be configured to use a (possibly different) proxy through "webclientprint" URLs. For example, visiting the following URL will set 192.0.2.1 as a proxy IP for WCPP: `webclientprint:-proxyHost:192.0.2.1` Likewise, the port of the proxy can be changed to 14141 through this URL: `webclientprint:-proxyPort:14141` As soon as a proxy is initially configured, it will be used permanently without the need for any further confirmation. If a proxy was already configured before the URLs above are invoked, the old proxy will be replaced by the new one. ### Proof of Concept An attacker may prepare a malicious website with the following content: ```
``` When visited by a WCPP user, the proxy host will be rewritten without any user interaction and without any visual indication. Likewise, the following HTML code may be used to define another proxy port when visited: ``` ``` This allows the proxy configuration to be changed without authorisation. ### Workaround Affected users should disable the WCPP handler and upgrade to a fixed version as soon as possible. ### Fix Install a WCPP version greater or equal to 2.0.15.910 (