BindView Security Advisory
--------

Unauthorized remote control access to systems running Funk Software's
Proxy v3.x
Issue Date: April 8, 2002
Contact: Chris Coffin (ccoffinrazor.bindview.com)
CVE: CAN-2002-0064, CAN-2002-0065, CAN-2002-0066

Overview:
Funk Software's Proxy v3.x Remote Control product allows users to
connect to remote Windows, NetWare, and DOS hosts to view the GUI or
command console session currently running on that host. Many vendors,
including Veritas, On Technology, Bendata, and BindView include the
Proxy remote control software (under different names) within their
desktop management or helpdesk product suites to aid in remote
administration. The Proxy remote control product consists of a client
(Proxy Master), and a server (Proxy Host). Systems running the Proxy
Host software are vulnerable to a number of attacks that could result
in unauthorized remote control access.

Affected Systems:
Any Windows 2000, Windows NT 4.0, or Windows 9x system that has Funk's
Proxy Host v3.x software installed is affected. The Windows 3.1, DOS,
and NetWare versions of the Proxy product were not tested. BindView's
NETrc v3.06 product was also evaluated and was found to be identical
with respect to the issues outlined below. NETrc v3.06 is a repackaged
version of Funk Proxy v3.06.

Impact:
Local and remote attackers have several avenues through which they can
change and even obtain configuration settings and passwords for the
Proxy Host software. This could allow unauthorized remote control access
to the Windows GUI, which could be used to further compromise the
system.

Details:
Below are 3 issues regarding Funk Proxy Host installations under
Windows platforms. A brief description of each issue will be given
first, followed by more specific information on each issue below.

   Issue 1 - The default Proxy installation permissions are weak
             (Windows 2000/NT4)
   Issue 2 - The Proxy Host password is stored in a recoverable
             format (Windows 2000/NT4 and Windows 9x)
   Issue 3 - The Proxy Host password can be obtained and configuration
             parameters can be arbitrarily changed by any remote user
             (Windows 2000/NT4)

Issue 1 (CAN-2002-0064): Default filesystem and registry permissions
for the Funk Proxy Host software under Windows 2000/NT4 platforms are
not secure. By default, Everyone is allowed Full Control access to the
Proxy Host program directory. The Proxy Host program directory contains
the Proxy Host service as well as configuration tools for Proxy Host.
The Proxy Host registry settings are also open to the Everyone group
with Special Access under Windows NT 4.0 (Windows 2000 allows only Read
Access to the Everyone group). The Special Access allows for setting
values as well as deleting values.

Issue 2 (CAN-2002-0065): The Proxy Host password under both Windows
2000/NT4 and Windows 9x platforms is stored in an easily recoverable
format. Under Windows 2000/NT4 platforms, the Proxy Host password is
weakly "encrypted" and stored as an obfuscated value within the Windows
registry. The obfuscated value can be reused within other Windows
2000/NT4 installations of the Proxy Host software. Windows 9x
installations of the Proxy Host store their password within the
filesystem in the file PHOST.INI. The entire PHOST.INI file can be
reused under any other installation of the Proxy Host on the Windows
9x platforms. The password can easily be recovered once the obfuscated
value is revealed. Additionally, the password used under both platforms
is also recoverable from the GUI tools provided by Funk, by using a
freeware password recovery tool.

Issue 3 (CAN-2002-0066): Under Windows 2000/NT4 installations of the
Proxy Host software, a Windows Named Pipe (Funk Software-Proxy
Host-Service Pipe) is created that allows Funk's Proxy Host service
configuration utilities (both a GUI and command-line utility are
available) to communicate with the Funk Proxy Host service locally. This
communication generally involves changes to the Proxy Host service
configuration that can include changing of the password used to connect
to the Proxy Host service from other systems. The Proxy Host service
Named Pipe by default allows the Everyone group Full Control Access.
Because of this, and the fact that the Funk utilities do nothing to
authenticate the calling user, the Funk Proxy Host service configuration
utilities can be run under the context of any Windows 2000/NT4 user
account.

The Proxy Named Pipe can also be called upon to give away the
Proxy Host password and configuration settings to any remote user who
exists on its ACL (by default, the Everyone group is on the Proxy Host
system's ACL). In theory, this would also allow remote users to modify
the Proxy Host password and settings remotely.

Vendor Feedback:
Funk Software has worked with RAZOR to confirm these findings and has
collaborated on the development of the security recommendations detailed
below. Funk has developed a fix for issue 3 and has packaged it as
Proxy v3.09A. This new version of the Proxy product will secure the
Proxy Host Named Pipe.

Funk has stated that all of the security issues outlined above
will be addressed in version 4 of the Proxy Host software which, is
currently in pre-beta and should be available soon. It is strongly
recommended that all Funk Proxy Host version 3 installations be upgraded
to version 4 once it's available.

Recommendations:
If you have not previously deployed your Proxy Host software or you wish
to reinstall the Proxy Host software, a more secure installation can be
used than the default. This will correct some of the problems associated
with the issues above. To deploy Proxy Host software in a manner that
makes local attacks more difficult, install the Proxy Host using the
remote setup on multiple hosts, as outlined in Chapter 7 of the Proxy
Host user manual. Use the special SETUP.CFG directives
"DeleteHostControlPanel=1" and "HideStartMenuItems=1".

This will do two things:

   A) The installation will NOT create a Proxy Host program group
      within the Windows start menu
   B) The installation will NOT install the following files:
      PHSETUP.EXE - Command line access to host settings for
                    Windows 9x
      PHSET32.EXE - Command line access to host settings for
                    Windows 2000/NT4
      PHOST32.CPL - GUI access to host settings for Windows 2000/NT4

This will make it substantially less convenient for local users of
the Proxy Host system to access the host settings (they would need to
manually go into the registry and edit the settings).

After installing the Proxy Host software using the above method, or if
you have already deployed the Proxy Host software, follow the
recommendations below to further lock down the systems running the
Proxy Host software.

Issue 1: Set NTFS permissions to only allow the Proxy Host
Administrators (probably the local Administrators group) and the
System account Full Control access.

NOTE: Setting NTFS permissions in this way breaks the File Transfer
functionality of the Proxy Host. However, failing to do so allows
users other than Administrators and the System account to run the
Proxy configuration utilities within the Proxy installation
directory. This would allow those users to change the Proxy
password and configuration settings.

Set registry permissions on the following key:

HKLM\SOFTWARE\Funk Software, Inc.\Proxy Host\Settings

The key should only allow the Proxy Host Administrators (probably the
local and/or domain Administrators group) and the System account Full
Control.

Allowing access to users other than Administrators or the System
account for the Proxy Settings registry key could allow non-privileged
users to obtain and/or change the Proxy Host password or configuration
settings.

NOTE: Setting the registry key ACL in this way breaks the File
Transfer functionality of the Proxy Host. However, failing to do so
allows users other than Administrators and the System account to
obtain and/or change the Proxy Host password or configuration
settings within the registry.

Issue 2: First, follow the recommendations for locking down the
filesystem and registry in the recommendations for Issue 1.

For Windows 9x installations, make sure the Proxy Host program
directory (or one of its parent directories) is not being shared on
the network. A shared Proxy installation directory on Windows 9x
systems could allow a remote user to obtain the or change the Proxy
password depending on the level of access allowed for the share.

To prevent the actual password from Funk's GUI utilities from being
obtained, remove the utilities from view of non-privileged console
 users (this is already done if the secure installation method
was used). Under Windows 9x installations this can be done by
removing the Proxy Host program group from the Windows start menu.
Under Windows 2000/NT4 installations this can be done by removing
the Proxy Host program group from the All Users start menu programs.

Windows 2000/NT4 installations also include a Windows control panel
icon that can be disabled by removing PHOST32.CPL (located in the
WINNT\System32 directory) (this is already done if the secure
installation method was used). Removing PHOST32.CPL completely
disables GUI access to the configuration of the Proxy Host. The Funk
GUI utility under Windows 9x installations (PHOSTWIN.EXE) cannot be
disabled however.

A more secure approach to locking non-privileged local users out of
the GUI applet for the Windows 2000/NT4 installations is to secure
the Funk Proxy Named Pipe server (See below in the recommendations
for issue 3).

Issue 3: The Proxy Host Named Pipe can be secured by installing
the latest version of Proxy v3.09A. Proxy v4.x will also correct the
problems associated with issue 3 when it becomes available. If
however, you are unable to install Proxy v3.09A and/or your OEM
vendor cannot supply the latest version of the Proxy product, you
should follow the steps below to secure the Proxy Host Named Pipe.

First, follow all of the recommendations up to this
point for locking down the Proxy Host system.

For Windows 2000/NT4, it is recommended that the Proxy Named Pipe
server called by the client side Funk command-line utility PHSET32.EXE
or the Funk GUI utility PHOST32.CPL be secured. It is recommended that
only the Proxy Administrators (probably the local Administrators group)
and the System account be given permissions to the Named Pipe. This
cannot be done with the standard Microsoft tools. You will need to
perform the following steps:

   1) If you are running NT, ensure that you are running the Security
      Configuration Manager on the system (SCM is not installed by
      default under Windows NT 4.0). If not, download it from
 
http://www.microsoft.com/ntserver/nts/downloads/recommended/scm/default.asp.

      The Security Configuration Manager is included within Windows
      2000 by default.
   2) Download pipeaclui.exe from
      http://razor.bindview.com/tools/files/pipeacltools-1.0.zip.
   3) As Administrator, run the pipeaclui.exe program as follows from
      the command line:

         pipeaclui "\??\PIPE\Funk Software-Proxy Host-Service Pipe"

   4) Remove the group Everyone, and add the Proxy Administrators and
      the System account.
   5) Highlight Administrators and then the System account and ensure
      Full Control access is allowed for both.
   6) Choose Apply and then OK.

NOTE: The procedure outlined above is, by far, the most important
recommendation. Failure to lock down the Proxy Host Named Pipe could
allow local and remote users the ability to obtain and/or change the
Proxy Host password and configuration settings (see Issue 3).

Locking down the Proxy Named Pipe has four side effects that should
be noted:

   - The Proxy Host File Transfer functionality will not work if users
     other than those applied to the Proxy Named Pipe's ACL are
     currently logged into the Proxy Host. A remote user using the
     Proxy Master to connect to the system must either use a separate
     mechanism (e.g.,SMB, ftp, scp, etc.) to transfer files, or log
     out the current Windows 2000/NT4 local console user and log back
     into the system using a privileged account that has Full Control
     access to the Proxy Named Pipe.

   - The Proxy Host Driver (viewable through the Proxy Host Control
     Panel) status will not be available to locally logged on users
     who are not specified on the Proxy Named Pipe ACL.

   - Normally when a remote user connects to a Proxy Host system, the
     Proxy Master system's username and IP address are displayed in the
     Proxy Host Control Panel on the Proxy Host system for the duration
     of the connection. This functionality is lost for any locally
     logged on users of the Proxy Host system who are not specified on
     the Proxy Named Pipe's ACL.

   - Users who are logged onto the Proxy Host system locally and are not
     specified within the Proxy Named Pipe's ACL cannot view current
     settings of the Proxy Host. The password is not displayed at all.
     This will prevent non-privileged local users of the system from
     using password recovery tools against the password contained within
     the Funk PHOST32.CPL GUI utility (See security issue 2).

WARNING!: Any time the Proxy Host is restarted or the system it's
running on is rebooted, re-application of the Proxy Named Pipe
permissions with pipeaclui.exe is necessary as they are transitory.

The last step here is to remove the command-line utility for Windows
2000/NT4. If you have followed the secure installation, the utility
will already be removed. If not, remove PHSET32.exe from Windows
2000/NT4 installations.

Best Practices:
These are optional steps that can help to further mitigate the issues
and help in monitoring events related to the Funk Proxy software.

In many cases, it is critical to avoid using the same Proxy Host
password on multiple systems. This is slightly less important in an
environment in which all Proxy Host passwords would be distributed to
every user of a system running Proxy Host (e.g., an environment in
which every user is allowed remote access to every system). Even then,
choosing different passwords helps prevent an intruder who has
compromised one system from accessing other systems. Also, choosing
different passwords is somewhat more important in the Windows 9x case
than the Windows 2000/NT4 case, because Windows 9x provides no access
control in the operating system that would prevent a local user from
reading PHOST.INI.

Use a screen saver lock under Windows 2000/NT4 or a password-protected
screen saver under Windows 9x. Even if someone manages to successfully
login to the Proxy Host, they will need Windows credentials or a
password before accessing the Windows desktop.

Log all traffic going to and from the Proxy Host system on UDP port
1505 and TCP port 1505 (Or whatever port you have chosen to run the
Proxy Host on).

Block access at your firewall to TCP and UDP port 1505 unless you
really need to manage the Proxy Host systems from the outside.
Another option might be to limit the access to port 1505 to authorized
systems only, by means of internal networking equipment, personal
firewall software, or similar packet-filtering technologies.

Disable the option "Permit suppression of keyboard/mouse" within the
Proxy Host configuration unless you absolutely need it. This will keep
remote users connecting to the Proxy Host from locking out local users
of the system.

As a final note, always pay close attention to the Proxy Host
configuration settings. If any of these settings change or the password
for the host changes without your knowledge, immediately change the
password to something else, shutdown the Proxy Host service, and then
investigate the problem.

Thanks:
A big thanks goes to both Todd Sabin and Mark Loveless of the RAZOR
team. Todd was able to determine that the Funk Proxy Named Pipe was the
root cause of some of the issues. Todd recommended a fix for the
Named Pipe and also developed the pipeacltools-1.0 utilities. Mark had a
ton of input along the way and was also successful in decrypting the Funk
Proxy Host passwords stored in the NT/2000 registry. Thanks also goes
to Dave Mann, Matt Power and the rest of the RAZOR team for their *many*
comments and recommendations on the material.

References:

    Funk's Proxy home page -
     http://www.funk.com/remote_control/default.asp

    Funk's Proxy v3.09A -
      http://www.funk.com/subsections/tec_proxy.asp

    Funk's Proxy Host User Manual -
     http://www.funk.com/Docs/PHOST.PDF

    RAZOR's pipeaclui utility -
     http://razor.bindview.com/tools/files/pipeacltools-1.0.zip

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]