TUCoPS :: Security App Flaws :: win5249.htm

Funk Software's Proxy - Unauthorized remote control access
9th Apr 2002 [SBWID-5249]
COMMAND

	Unauthorized remote control access to systems running  Funk  Software\'s
	Proxy v3.x

SYSTEMS AFFECTED

	 Funk Software\'s Proxy v3.x

	 Not tested: windows 3.1, DOS,and NetWare versions

	

	BindView\'s NETrc v3.06 is also vulnerable (NETrc v3.06 is a  repackaged
	version of Funk Proxy v3.06)

PROBLEM

	In BindView Security Advisory  [http://www.bindview.com],  Chris  Coffin
	reported following :
	

	Funk Software\'s Proxy v3.x  Remote  Control  product  allows  users  to
	connect to remote Windows, NetWare, and DOS hosts to  view  the  GUI  or
	command console session currently running on that  host.  Many  vendors,
	including Veritas, On Technology,  Bendata,  and  BindView  include  the
	Proxy remote control  software  (under  different  names)  within  their
	desktop  management  or  helpdesk  product  suites  to  aid  in   remote
	administration. The Proxy remote control product consists  of  a  client
	(Proxy Master), and a server (Proxy Host).  Systems  running  the  Proxy
	Host software are vulnerable to a number of attacks  that  could  result
	in unauthorized remote control access.
	

	 Impact

	 ======

	

	Local and remote attackers have several avenues through which  they  can
	change and even obtain configuration  settings  and  passwords  for  the
	Proxy Host  software.  This  could  allow  unauthorized  remote  control
	access to the Windows GUI, which could be  used  to  further  compromise
	the system.
	

	 Details

	 =======

	

	Below are  3  issues  regarding  Funk  Proxy  Host  installations  under
	Windows platforms. A brief description  of  each  issue  will  be  given
	first, followed by more specific information on each issue below.
	

	   Issue 1 - The default Proxy installation permissions are weak 

	             (Windows 2000/NT4)

	   Issue 2 - The Proxy Host password is stored in a recoverable

	             format (Windows 2000/NT4 and Windows 9x)

	   Issue 3 - The Proxy Host password can be obtained and configuration

	             parameters can be arbitrarily changed by any remote user 

	             (Windows 2000/NT4)

	

	Issue 1 (CAN-2002-0064): Default  filesystem  and  registry  permissions
	for the Funk Proxy Host software under Windows  2000/NT4  platforms  are
	not secure. By default, Everyone is allowed Full Control access  to  the
	Proxy Host program directory. The Proxy Host program directory  contains
	the Proxy Host service as well as configuration tools  for  Proxy  Host.
	The Proxy Host registry settings are also open  to  the  Everyone  group
	with Special Access under Windows NT 4.0 (Windows 2000 allows only  Read
	Access to the Everyone group). The Special  Access  allows  for  setting
	values as well as deleting values.
	

	Issue 2 (CAN-2002-0065): The Proxy  Host  password  under  both  Windows
	2000/NT4 and Windows 9x platforms is stored  in  an  easily  recoverable
	format. Under Windows 2000/NT4 platforms, the  Proxy  Host  password  is
	weakly \"encrypted\" and  stored  as  an  obfuscated  value  within  the
	Windows registry. The  obfuscated  value  can  be  reused  within  other
	Windows 2000/NT4 installations of the Proxy Host  software.  Windows  9x
	installations  of  the  Proxy  Host  store  their  password  within  the
	filesystem in the file PHOST.INI.  The  entire  PHOST.INI  file  can  be
	reused under any other installation of the Proxy Host on the Windows  9x
	platforms. The password can easily  be  recovered  once  the  obfuscated
	value is revealed. Additionally, the password used under both  platforms
	is also recoverable from the GUI tools provided  by  Funk,  by  using  a
	freeware password recovery tool.
	

	Issue 3 (CAN-2002-0066): Under Windows  2000/NT4  installations  of  the
	Proxy  Host  software,  a  Windows  Named  Pipe   (Funk   Software-Proxy
	Host-Service Pipe) is created that allows  Funk\'s  Proxy  Host  service
	configuration  utilities  (both  a  GUI  and  command-line  utility  are
	available) to communicate with the  Funk  Proxy  Host  service  locally.
	This communication generally involves changes to the Proxy Host  service
	configuration that can include changing of the password used to  connect
	to the Proxy Host service from other systems.  The  Proxy  Host  service
	Named Pipe by default allows the Everyone  group  Full  Control  Access.
	Because of this, and the fact that the  Funk  utilities  do  nothing  to
	authenticate  the  calling   user,   the   Funk   Proxy   Host   service
	configuration utilities can be run under  the  context  of  any  Windows
	2000/NT4 user account.
	

	The Proxy Named Pipe can also be called upon  to  give  away  the  Proxy
	Host password and configuration settings to any remote user  who  exists
	on its ACL (by  default,  the  Everyone  group  is  on  the  Proxy  Host
	system\'s ACL). In theory, this would also allow remote users to  modify
	the Proxy Host password and settings remotely.
	

	 Vendor Feedback

	 ===============

	

	Funk Software has worked with RAZOR to confirm these  findings  and  has
	collaborated  on  the  development  of  the   security   recommendations
	detailed below. Funk has developed a fix for issue 3  and  has  packaged
	it as Proxy v3.09A. This new version of the Proxy  product  will  secure
	the Proxy Host Named Pipe.
	

	Funk has stated that all of the security issues outlined above  will  be
	addressed in version 4 of the Proxy Host software  which,  is  currently
	in pre-beta and should be available soon.  It  is  strongly  recommended
	that all Funk Proxy Host version 3 installations be upgraded to  version
	4 once it\'s available.

SOLUTION

	 Recommendations

	 ===============

	

	If you have not previously deployed your  Proxy  Host  software  or  you
	wish to reinstall the Proxy Host software, a  more  secure  installation
	can be used than the default. This will correct  some  of  the  problems
	associated with the issues above. To deploy Proxy  Host  software  in  a
	manner that makes local attacks more difficult, install the  Proxy  Host
	using the remote setup on multiple hosts, as outlined in  Chapter  7  of
	the Proxy  Host  user  manual.  Use  the  special  SETUP.CFG  directives
	\"DeleteHostControlPanel=1\" and \"HideStartMenuItems=1\".
	

	This will do two things:
	

	   A) The installation will NOT create a Proxy Host program group

	      within the Windows start menu

	   B) The installation will NOT install the following files:

	      PHSETUP.EXE - Command line access to host settings for

	                    Windows 9x

	      PHSET32.EXE - Command line access to host settings for

	                    Windows 2000/NT4

	      PHOST32.CPL - GUI access to host settings for Windows 2000/NT4

	

	This will make it substantially less convenient for local users  of  the
	Proxy Host system to access  the  host  settings  (they  would  need  to
	manually go into the registry and edit the settings).
	

	After installing the Proxy Host software using the above method,  or  if
	you  have  already  deployed  the  Proxy  Host  software,   follow   the
	recommendations below to further  lock  down  the  systems  running  the
	Proxy Host software.
	

	

	Issue  1:  Set  NTFS  permissions  to  only   allow   the   Proxy   Host
	Administrators (probably the local Administrators group) and the  System
	account Full Control access.
	

	NOTE: Setting NTFS permissions in this  way  breaks  the  File  Transfer
	functionality of the Proxy Host. However, failing to do so allows  users
	other than Administrators and  the  System  account  to  run  the  Proxy
	configuration utilities within the Proxy  installation  directory.  This
	would allow those users to change the Proxy password  and  configuration
	settings.
	

	Set registry permissions on the following key:
	

	

	HKLM\\SOFTWARE\\Funk Software, Inc.\\Proxy Host\\Settings

	

	

	The key should only allow the Proxy Host  Administrators  (probably  the
	local and/or domain Administrators group) and the  System  account  Full
	Control.
	

	Allowing access  to  users  other  than  Administrators  or  the  System
	account for the Proxy Settings registry key could  allow  non-privileged
	users to obtain and/or change the Proxy Host password  or  configuration
	settings.
	

	NOTE: Setting the registry key ACL in this way breaks the File  Transfer
	functionality of the Proxy Host. However, failing to do so allows  users
	other than Administrators  and  the  System  account  to  obtain  and/or
	change the Proxy Host password  or  configuration  settings  within  the
	registry.
	

	Issue  2:  First,  follow  the  recommendations  for  locking  down  the
	filesystem and registry in the recommendations for Issue 1.
	

	For  Windows  9x  installations,  make  sure  the  Proxy  Host   program
	directory (or one of its parent directories) is not being shared on  the
	network. A shared Proxy installation directory  on  Windows  9x  systems
	could allow a remote user to obtain the or  change  the  Proxy  password
	depending on the level of access allowed for the share.
	

	To prevent the actual password from Funk\'s  GUI  utilities  from  being
	obtained, remove the utilities from view of non-privileged console
	 users (this is already done if the secure installation method

	was used). Under Windows 9x installations this can be done  by  removing
	the Proxy Host program group from the Windows start menu. Under  Windows
	2000/NT4 installations this can be  done  by  removing  the  Proxy  Host
	program group from the All Users start menu programs.
	

	Windows 2000/NT4 installations also  include  a  Windows  control  panel
	icon that can be  disabled  by  removing  PHOST32.CPL  (located  in  the
	WINNT\\System32  directory)  (this  is  already  done  if   the   secure
	installation method was used). Removing PHOST32.CPL completely  disables
	GUI access to the configuration of the Proxy Host. The Funk GUI  utility
	under  Windows  9x  installations  (PHOSTWIN.EXE)  cannot  be   disabled
	however.
	

	A more secure approach to locking non-privileged local users out of  the
	GUI applet for the Windows 2000/NT4 installations is to secure the  Funk
	Proxy Named Pipe server (See below in the recommendations for issue 3).
	

	

	Issue 3: The Proxy Host Named Pipe can  be  secured  by  installing  the
	latest version of  Proxy  v3.09A.  Proxy  v4.x  will  also  correct  the
	problems associated with issue 3 when it becomes available. If  however,
	you are unable to install Proxy v3.09A and/or  your  OEM  vendor  cannot
	supply the latest version of the Proxy product, you  should  follow  the
	steps below to secure the Proxy Host Named Pipe.
	

	First, follow all of the recommendations up to this  point  for  locking
	down the Proxy Host system.
	

	For Windows 2000/NT4, it  is  recommended  that  the  Proxy  Named  Pipe
	server called by the client side Funk command-line  utility  PHSET32.EXE
	or the Funk GUI utility PHOST32.CPL be secured. It is  recommended  that
	only the Proxy Administrators (probably the local Administrators  group)
	and the System account be given permissions  to  the  Named  Pipe.  This
	cannot be done with the standard  Microsoft  tools.  You  will  need  to
	perform the following steps:
	

	   1) If you are running NT, ensure that you are running the Security

	      Configuration Manager on the system (SCM is not installed by

	      default under Windows NT 4.0). If not, download it from

	

	      http://www.microsoft.com/ntserver/nts/downloads/recommended/scm/default.asp.

	

	

	      The Security Configuration Manager is included within Windows 

	      2000 by default.

	   2) Download pipeaclui.exe from 

	

	      http://razor.bindview.com/tools/files/pipeacltools-1.0.zip.

	

	   3) As Administrator, run the pipeaclui.exe program as follows from

	      the command line:

	

	

	         pipeaclui \"\\??\\PIPE\\Funk Software-Proxy Host-Service Pipe\"

	

	

	   4) Remove the group Everyone, and add the Proxy Administrators and

	      the System account.

	   5) Highlight Administrators and then the System account and ensure

	      Full Control access is allowed for both.

	   6) Choose Apply and then OK.

	

	NOTE: The procedure outlined  above  is,  by  far,  the  most  important
	recommendation. Failure to lock down the Proxy  Host  Named  Pipe  could
	allow local and remote users the ability to  obtain  and/or  change  the
	Proxy Host password and configuration settings (see Issue 3).
	

	Locking down the Proxy Named Pipe has four side effects that  should  be
	noted:
	

	   - The Proxy Host File Transfer functionality will not work if users 

	     other than those applied to the Proxy Named Pipe\'s ACL are 

	     currently logged into the Proxy Host. A remote user using the 

	     Proxy Master to connect to the system must either use a separate 

	     mechanism (e.g.,SMB, ftp, scp, etc.) to transfer files, or log 

	     out the current Windows 2000/NT4 local console user and log back 

	     into the system using a privileged account that has Full Control 

	     access to the Proxy Named Pipe.

	

	   - The Proxy Host Driver (viewable through the Proxy Host Control

	     Panel) status will not be available to locally logged on users

	     who are not specified on the Proxy Named Pipe ACL.

	

	   - Normally when a remote user connects to a Proxy Host system, the

	     Proxy Master system\'s username and IP address are displayed in the

	     Proxy Host Control Panel on the Proxy Host system for the duration

	     of the connection. This functionality is lost for any locally

	     logged on users of the Proxy Host system who are not specified on

	     the Proxy Named Pipe\'s ACL.

	

	   - Users who are logged onto the Proxy Host system locally and are not

	     specified within the Proxy Named Pipe\'s ACL cannot view current

	     settings of the Proxy Host. The password is not displayed at all.

	     This will prevent non-privileged local users of the system from

	     using password recovery tools against the password contained within

	     the Funk PHOST32.CPL GUI utility (See security issue 2).

	

	WARNING!: Any time the Proxy Host  is  restarted  or  the  system  it\'s
	running  on  is  rebooted,  re-application  of  the  Proxy  Named   Pipe
	permissions with pipeaclui.exe is necessary as they are transitory.
	

	The last step here is to remove the  command-line  utility  for  Windows
	2000/NT4. If you have followed  the  secure  installation,  the  utility
	will already  be  removed.  If  not,  remove  PHSET32.exe  from  Windows
	2000/NT4 installations.
	

	

	 Best Practices

	 ==============

	

	These are optional steps that can help to further  mitigate  the  issues
	and help in monitoring events related to the Funk Proxy software.
	

	In many cases, it is  critical  to  avoid  using  the  same  Proxy  Host
	password on multiple systems. This is  slightly  less  important  in  an
	environment in which all Proxy Host passwords would  be  distributed  to
	every user of a system running  Proxy  Host  (e.g.,  an  environment  in
	which every user is allowed remote access to every system).  Even  then,
	choosing  different  passwords  helps  prevent  an  intruder   who   has
	compromised one system from  accessing  other  systems.  Also,  choosing
	different passwords is somewhat more important in the  Windows  9x  case
	than the Windows 2000/NT4 case, because Windows 9x  provides  no  access
	control in the operating system that would prevent  a  local  user  from
	reading PHOST.INI.
	

	Use a screen saver lock under Windows 2000/NT4 or  a  password-protected
	screen saver under Windows 9x. Even if someone manages  to  successfully
	login to the Proxy  Host,  they  will  need  Windows  credentials  or  a
	password before accessing the Windows desktop.
	

	Log all traffic going to and from the Proxy  Host  system  on  UDP  port
	1505 and TCP port 1505 (Or whatever port you  have  chosen  to  run  the
	Proxy Host on).
	

	Block access at your firewall to  TCP  and  UDP  port  1505  unless  you
	really need to manage the Proxy Host systems from the  outside.  Another
	option might be to limit the access to port 1505 to  authorized  systems
	only, by means  of  internal  networking  equipment,  personal  firewall
	software, or similar packet-filtering technologies.
	

	Disable the option \"Permit suppression of keyboard/mouse\"  within  the
	Proxy Host configuration unless you absolutely need it. This  will  keep
	remote users connecting to the Proxy Host from locking out  local  users
	of the system.
	

	As  a  final  note,  always  pay  close  attention  to  the  Proxy  Host
	configuration settings. If any of these settings change or the  password
	for the host changes without  your  knowledge,  immediately  change  the
	password to something else, shutdown the Proxy Host  service,  and  then
	investigate the problem.
	

	

	 Thanks

	 ======

	

	A big thanks goes to both Todd Sabin and  Mark  Loveless  of  the  RAZOR
	team. Todd was able to determine that the Funk Proxy Named Pipe was  the
	root cause of some of the issues. Todd recommended a fix for  the  Named
	Pipe and also developed the pipeacltools-1.0 utilities. Mark had  a  ton
	of input along the way and was also successful in  decrypting  the  Funk
	Proxy Host passwords stored in the NT/2000 registry.  Thanks  also  goes
	to Dave Mann, Matt Power and the  rest  of  the  RAZOR  team  for  their
	*many* comments and recommendations on the material.
	

	

	 References

	 ==========

	

	    Funk\'s Proxy home page - 

	

	     http://www.funk.com/remote_control/default.asp

	

	

	    Funk\'s Proxy v3.09A -

	

	      http://www.funk.com/subsections/tec_proxy.asp

	

	

	    Funk\'s Proxy Host User Manual - 

	

	     http://www.funk.com/Docs/PHOST.PDF

	

	

	    RAZOR\'s pipeaclui utility -

	

	     http://razor.bindview.com/tools/files/pipeacltools-1.0.zip

	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH