[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
MobaXTerm before version 8.5 vulnerability in "jump host" functionality
-----BEGIN PGP SIGNED MESSAGE-----
== Description ==
MobaXTerm (http://www.mobatek.net/), a Windows SSH/RDP/VNC/etc. client, includes
a functionality to open remote sessions via a so-called "jump host" or "SSH
gateway". In the end this creates a "SSH Port Forward" by binding a local port on
the machine running MobaXTerm to forward all traffic to the specified destination
host via the jump host through a SSH tunnel (-L option in OpenSSH), and that is
then used to open the final remote session to the target machine.
MobaXTerm implementations before 8.5 however do not bind the local socket to
the local loopback interface (127.0.0.1) to allow only processes from the
local machine to use the tunnel, but instead bind the socket to "any"
interface on the local machine (0.0.0.0). This results in a gateway for
anybody who is able to access the machine running the MobaXTerm application to
tunnel through to the target machine.
This tunnel is opened the first time a session using this "jump host" is
openend, and stays open even after the session was closed, as long as the
MobaXterm is running (eventually).
The vulnerability is present in the default configuration of the MobaXTerm
application, and I could not find any option or setting to change this
behaviour in affected versions. Version 8.5, which was released in December
2015, fixes this vulnerability by binding the local socket to the loopback
Since MobaXTerm is typically used for system administration, and "jump hosts"
are typically used to work in networks that are divided by firewalls to
separate network zones, this vulnerability allows an attacker to cross those
firewalls and start attacks against the target hosts e.g. via bruteforcing or
reusing credentials, pass-the-hash or any other technique.
== Proof of concept ==
Display the currently used ports (netstat -anb) while having a MobaXTerm RDP
session opened via a "jump host", or connect from a third host to the
gateway port on the machine where MobaXTerm is running on.
== Solution ==
MobaXTerm 8.5 fixes the vulnerability, for older versions access to tunnel
ports can be blocked via a local firewall.
== Timeline ==
2015-11-23: vulnerability reported to vendor (MobaTek) and Cert/CC [VU#965520]
2015-11-25: first response from vendor
2015-12-19: updated version released
2016-01-08: public disclosure
- - - --
Thomas Bleier | Hauptplatz 16, A-7374 Weingraben, Austria
E-Mail: thomas@xxxxxxxxx | Phone: +43-664-3400559
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----