BindView Security Advisory -------- Unauthorized remote control access to systems running Funk Software's Proxy v3.x Issue Date: April 8, 2002 Contact: Chris Coffin (ccoffin () razor bindview com) CVE: CAN-2002-0064, CAN-2002-0065, CAN-2002-0066 Overview: Funk Software's Proxy v3.x Remote Control product allows users to connect to remote Windows, NetWare, and DOS hosts to view the GUI or command console session currently running on that host. Many vendors, including Veritas, On Technology, Bendata, and BindView include the Proxy remote control software (under different names) within their desktop management or helpdesk product suites to aid in remote administration. The Proxy remote control product consists of a client (Proxy Master), and a server (Proxy Host). Systems running the Proxy Host software are vulnerable to a number of attacks that could result in unauthorized remote control access. Affected Systems: Any Windows 2000, Windows NT 4.0, or Windows 9x system that has Funk's Proxy Host v3.x software installed is affected. The Windows 3.1, DOS, and NetWare versions of the Proxy product were not tested. BindView's NETrc v3.06 product was also evaluated and was found to be identical with respect to the issues outlined below. NETrc v3.06 is a repackaged version of Funk Proxy v3.06. Impact: Local and remote attackers have several avenues through which they can change and even obtain configuration settings and passwords for the Proxy Host software. This could allow unauthorized remote control access to the Windows GUI, which could be used to further compromise the system. Details: Below are 3 issues regarding Funk Proxy Host installations under Windows platforms. A brief description of each issue will be given first, followed by more specific information on each issue below. Issue 1 - The default Proxy installation permissions are weak (Windows 2000/NT4) Issue 2 - The Proxy Host password is stored in a recoverable format (Windows 2000/NT4 and Windows 9x) Issue 3 - The Proxy Host password can be obtained and configuration parameters can be arbitrarily changed by any remote user (Windows 2000/NT4) Issue 1 (CAN-2002-0064): Default filesystem and registry permissions for the Funk Proxy Host software under Windows 2000/NT4 platforms are not secure. By default, Everyone is allowed Full Control access to the Proxy Host program directory. The Proxy Host program directory contains the Proxy Host service as well as configuration tools for Proxy Host. The Proxy Host registry settings are also open to the Everyone group with Special Access under Windows NT 4.0 (Windows 2000 allows only Read Access to the Everyone group). The Special Access allows for setting values as well as deleting values. Issue 2 (CAN-2002-0065): The Proxy Host password under both Windows 2000/NT4 and Windows 9x platforms is stored in an easily recoverable format. Under Windows 2000/NT4 platforms, the Proxy Host password is weakly "encrypted" and stored as an obfuscated value within the Windows registry. The obfuscated value can be reused within other Windows 2000/NT4 installations of the Proxy Host software. Windows 9x installations of the Proxy Host store their password within the filesystem in the file PHOST.INI. The entire PHOST.INI file can be reused under any other installation of the Proxy Host on the Windows 9x platforms. The password can easily be recovered once the obfuscated value is revealed. Additionally, the password used under both platforms is also recoverable from the GUI tools provided by Funk, by using a freeware password recovery tool. Issue 3 (CAN-2002-0066): Under Windows 2000/NT4 installations of the Proxy Host software, a Windows Named Pipe (Funk Software-Proxy Host-Service Pipe) is created that allows Funk's Proxy Host service configuration utilities (both a GUI and command-line utility are available) to communicate with the Funk Proxy Host service locally. This communication generally involves changes to the Proxy Host service configuration that can include changing of the password used to connect to the Proxy Host service from other systems. The Proxy Host service Named Pipe by default allows the Everyone group Full Control Access. Because of this, and the fact that the Funk utilities do nothing to authenticate the calling user, the Funk Proxy Host service configuration utilities can be run under the context of any Windows 2000/NT4 user account. The Proxy Named Pipe can also be called upon to give away the Proxy Host password and configuration settings to any remote user who exists on its ACL (by default, the Everyone group is on the Proxy Host system's ACL). In theory, this would also allow remote users to modify the Proxy Host password and settings remotely. Vendor Feedback: Funk Software has worked with RAZOR to confirm these findings and has collaborated on the development of the security recommendations detailed below. Funk has developed a fix for issue 3 and has packaged it as Proxy v3.09A. This new version of the Proxy product will secure the Proxy Host Named Pipe. Funk has stated that all of the security issues outlined above will be addressed in version 4 of the Proxy Host software which, is currently in pre-beta and should be available soon. It is strongly recommended that all Funk Proxy Host version 3 installations be upgraded to version 4 once it's available. Recommendations: If you have not previously deployed your Proxy Host software or you wish to reinstall the Proxy Host software, a more secure installation can be used than the default. This will correct some of the problems associated with the issues above. To deploy Proxy Host software in a manner that makes local attacks more difficult, install the Proxy Host using the remote setup on multiple hosts, as outlined in Chapter 7 of the Proxy Host user manual. Use the special SETUP.CFG directives "DeleteHostControlPanel=1" and "HideStartMenuItems=1". This will do two things: A) The installation will NOT create a Proxy Host program group within the Windows start menu B) The installation will NOT install the following files: PHSETUP.EXE - Command line access to host settings for Windows 9x PHSET32.EXE - Command line access to host settings for Windows 2000/NT4 PHOST32.CPL - GUI access to host settings for Windows 2000/NT4 This will make it substantially less convenient for local users of the Proxy Host system to access the host settings (they would need to manually go into the registry and edit the settings). After installing the Proxy Host software using the above method, or if you have already deployed the Proxy Host software, follow the recommendations below to further lock down the systems running the Proxy Host software. Issue 1: Set NTFS permissions to only allow the Proxy Host Administrators (probably the local Administrators group) and the System account Full Control access. NOTE: Setting NTFS permissions in this way breaks the File Transfer functionality of the Proxy Host. However, failing to do so allows users other than Administrators and the System account to run the Proxy configuration utilities within the Proxy installation directory. This would allow those users to change the Proxy password and configuration settings. Set registry permissions on the following key: HKLM\SOFTWARE\Funk Software, Inc.\Proxy Host\Settings The key should only allow the Proxy Host Administrators (probably the local and/or domain Administrators group) and the System account Full Control. Allowing access to users other than Administrators or the System account for the Proxy Settings registry key could allow non-privileged users to obtain and/or change the Proxy Host password or configuration settings. NOTE: Setting the registry key ACL in this way breaks the File Transfer functionality of the Proxy Host. However, failing to do so allows users other than Administrators and the System account to obtain and/or change the Proxy Host password or configuration settings within the registry. Issue 2: First, follow the recommendations for locking down the filesystem and registry in the recommendations for Issue 1. For Windows 9x installations, make sure the Proxy Host program directory (or one of its parent directories) is not being shared on the network. A shared Proxy installation directory on Windows 9x systems could allow a remote user to obtain the or change the Proxy password depending on the level of access allowed for the share. To prevent the actual password from Funk's GUI utilities from being obtained, remove the utilities from view of non-privileged console users (this is already done if the secure installation method was used). Under Windows 9x installations this can be done by removing the Proxy Host program group from the Windows start menu. Under Windows 2000/NT4 installations this can be done by removing the Proxy Host program group from the All Users start menu programs. Windows 2000/NT4 installations also include a Windows control panel icon that can be disabled by removing PHOST32.CPL (located in the WINNT\System32 directory) (this is already done if the secure installation method was used). Removing PHOST32.CPL completely disables GUI access to the configuration of the Proxy Host. The Funk GUI utility under Windows 9x installations (PHOSTWIN.EXE) cannot be disabled however. A more secure approach to locking non-privileged local users out of the GUI applet for the Windows 2000/NT4 installations is to secure the Funk Proxy Named Pipe server (See below in the recommendations for issue 3). Issue 3: The Proxy Host Named Pipe can be secured by installing the latest version of Proxy v3.09A. Proxy v4.x will also correct the problems associated with issue 3 when it becomes available. If however, you are unable to install Proxy v3.09A and/or your OEM vendor cannot supply the latest version of the Proxy product, you should follow the steps below to secure the Proxy Host Named Pipe. First, follow all of the recommendations up to this point for locking down the Proxy Host system. For Windows 2000/NT4, it is recommended that the Proxy Named Pipe server called by the client side Funk command-line utility PHSET32.EXE or the Funk GUI utility PHOST32.CPL be secured. It is recommended that only the Proxy Administrators (probably the local Administrators group) and the System account be given permissions to the Named Pipe. This cannot be done with the standard Microsoft tools. You will need to perform the following steps: 1) If you are running NT, ensure that you are running the Security Configuration Manager on the system (SCM is not installed by default under Windows NT 4.0). If not, download it from http://www.microsoft.com/ntserver/nts/downloads/recommended/scm/default.asp. The Security Configuration Manager is included within Windows 2000 by default. 2) Download pipeaclui.exe from http://razor.bindview.com/tools/files/pipeacltools-1.0.zip. 3) As Administrator, run the pipeaclui.exe program as follows from the command line: pipeaclui "\??\PIPE\Funk Software-Proxy Host-Service Pipe" 4) Remove the group Everyone, and add the Proxy Administrators and the System account. 5) Highlight Administrators and then the System account and ensure Full Control access is allowed for both. 6) Choose Apply and then OK. NOTE: The procedure outlined above is, by far, the most important recommendation. Failure to lock down the Proxy Host Named Pipe could allow local and remote users the ability to obtain and/or change the Proxy Host password and configuration settings (see Issue 3). Locking down the Proxy Named Pipe has four side effects that should be noted: - The Proxy Host File Transfer functionality will not work if users other than those applied to the Proxy Named Pipe's ACL are currently logged into the Proxy Host. A remote user using the Proxy Master to connect to the system must either use a separate mechanism (e.g.,SMB, ftp, scp, etc.) to transfer files, or log out the current Windows 2000/NT4 local console user and log back into the system using a privileged account that has Full Control access to the Proxy Named Pipe. - The Proxy Host Driver (viewable through the Proxy Host Control Panel) status will not be available to locally logged on users who are not specified on the Proxy Named Pipe ACL. - Normally when a remote user connects to a Proxy Host system, the Proxy Master system's username and IP address are displayed in the Proxy Host Control Panel on the Proxy Host system for the duration of the connection. This functionality is lost for any locally logged on users of the Proxy Host system who are not specified on the Proxy Named Pipe's ACL. - Users who are logged onto the Proxy Host system locally and are not specified within the Proxy Named Pipe's ACL cannot view current settings of the Proxy Host. The password is not displayed at all. This will prevent non-privileged local users of the system from using password recovery tools against the password contained within the Funk PHOST32.CPL GUI utility (See security issue 2). WARNING!: Any time the Proxy Host is restarted or the system it's running on is rebooted, re-application of the Proxy Named Pipe permissions with pipeaclui.exe is necessary as they are transitory. The last step here is to remove the command-line utility for Windows 2000/NT4. If you have followed the secure installation, the utility will already be removed. If not, remove PHSET32.exe from Windows 2000/NT4 installations. Best Practices: These are optional steps that can help to further mitigate the issues and help in monitoring events related to the Funk Proxy software. In many cases, it is critical to avoid using the same Proxy Host password on multiple systems. This is slightly less important in an environment in which all Proxy Host passwords would be distributed to every user of a system running Proxy Host (e.g., an environment in which every user is allowed remote access to every system). Even then, choosing different passwords helps prevent an intruder who has compromised one system from accessing other systems. Also, choosing different passwords is somewhat more important in the Windows 9x case than the Windows 2000/NT4 case, because Windows 9x provides no access control in the operating system that would prevent a local user from reading PHOST.INI. Use a screen saver lock under Windows 2000/NT4 or a password-protected screen saver under Windows 9x. Even if someone manages to successfully login to the Proxy Host, they will need Windows credentials or a password before accessing the Windows desktop. Log all traffic going to and from the Proxy Host system on UDP port 1505 and TCP port 1505 (Or whatever port you have chosen to run the Proxy Host on). Block access at your firewall to TCP and UDP port 1505 unless you really need to manage the Proxy Host systems from the outside. Another option might be to limit the access to port 1505 to authorized systems only, by means of internal networking equipment, personal firewall software, or similar packet-filtering technologies. Disable the option "Permit suppression of keyboard/mouse" within the Proxy Host configuration unless you absolutely need it. This will keep remote users connecting to the Proxy Host from locking out local users of the system. As a final note, always pay close attention to the Proxy Host configuration settings. If any of these settings change or the password for the host changes without your knowledge, immediately change the password to something else, shutdown the Proxy Host service, and then investigate the problem. Thanks: A big thanks goes to both Todd Sabin and Mark Loveless of the RAZOR team. Todd was able to determine that the Funk Proxy Named Pipe was the root cause of some of the issues. Todd recommended a fix for the Named Pipe and also developed the pipeacltools-1.0 utilities. Mark had a ton of input along the way and was also successful in decrypting the Funk Proxy Host passwords stored in the NT/2000 registry. Thanks also goes to Dave Mann, Matt Power and the rest of the RAZOR team for their *many* comments and recommendations on the material. References: Funk's Proxy home page - http://www.funk.com/remote_control/default.asp Funk's Proxy v3.09A - http://www.funk.com/subsections/tec_proxy.asp Funk's Proxy Host User Manual - http://www.funk.com/Docs/PHOST.PDF RAZOR's pipeaclui utility - http://razor.bindview.com/tools/files/pipeacltools-1.0.zip