Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Ronen Z (ronenquaji.com)
Date: Mon Feb 17 2014 - 07:30:48 CST
Affected versions: 4.3.3
4.3.1 and probably prior versions.
Jetro Cockpit Secure Browsing makes use of a client running on a
user's workstation in the enterprise's internal network, and a server
in the DMZ that connects on the client's behalf to the internet.
Attack scenario: User causes server to be compromised by an unpatched
or 0-day vulnerability. For example, a browser exploit, or a PDF
viewer exploit. The product should provide network separation and
sand-box such an attack. However the vulnerability found allows a
compromised server to execute code on the client machine using the
- If an attacker gains user-level RCE on the server, the found issue
will allow RCE on the same user's workstation in the internal network.
- If an attacker gains elevated privileged RCE on the server (using a
PE vulnerability), the found issue will allow RCE on any user's
workstation in the internal network.
The client does not validate input coming from the server as a result
of a print-to-pdf event. The server can send an .EXE file instead of
the expected .PDF file and the client will execute the file upon
Full disclosure, demo and details here: