Back to list
SEC Consult SA-20111012-0 :: Client-side remote file upload & command execution in Microsoft Forefront UAG Remote Access Agent (CVE-2011-1969)
Oct 13 2011 10:22AM
SEC Consult Vulnerability Lab (research sec-consult com)
SEC Consult Vulnerability Lab Security Advisory < 20111012-0 >
title: Client-side remote file upload & command execution
product: Microsoft Forefront Unified Access Gateway Remote
Access Agent (signed Java applet)
vulnerable version: 22.214.171.124
CVE number: CVE-2011-1969
by: Elisabeth Demeter / SEC Consult Vulnerability Lab
"Forefront Unified Access Gateway 2010 (UAG) delivers comprehensive,
secure remote access to corporate resources for employees, partners,
and vendors on both managed and unmanaged PCs and mobile devices.
Utilizing a combination of connectivity options, ranging from SSL VPN
to Direct Access, as well as built in configurations and policies,
Forefront UAG provides centralized and easy management of your
organization's complete anywhere access offering.
Integrating a deep understanding of the applications published, the
state of health of the devices being used to gain access, and the
user's identity â?? Forefront UAG enforces granular access controls and
policies to deliver comprehensive remote access, ensure security, and
reduce management costs and complexity."
The client-side endpoint security solution (Microsoft Forefront UAG),
e.g. supplied by Microsoft Outlook Web App, uses either a signed Java
applet (Remote Access Agent) or an ActiveX Control (Endpoint
Components) to connect to a VPN and perform local compliance scans on
Due to quality issues within the software, an attacker is able to access
insecure methods from the "trustworthy" Java applet and exploit those
features to compromise all client systems that trust the correctly
signed Java applet (e.g. all users that need to use this software for
accessing internal systems over company VPN).
The ActiveX control has the same functionality, which is why it is
strongly presumed that a similar attack is possible.
Microsoft UAG Remote Access Agent contains the MicrosoftClient.jar
which in turn contains AgentAppletDriver.java. This class creates an
"Agent" object that writes one of the following three files to the
client system (depending on the operating system):
It is only checked if the jar is signed, but not who signed it, so any
created self-signed jar that is named like one of these files can be
used. The manipulated jar files can only be loaded if the codebase is
completely on the attacker system (the MicrosoftClient.jar and all the
other needed files need to be on the attacker system).
The agent_xxx_helper.jar needs to include any executable with the name
"ProxyProcess_Win.exe" and/or "AttachmentWiper.exe" which is executed
during the doInit() function which in turn is called during the init()
function of AgentAppletDriver.java.
Summing up, an attacker is able to upload arbitrary executable files to
remote clients and then immediately execute them without notice as a
signed Java applet is being used (if "Always trust content from this
publisher" has been checked - otherwise an unsuspicious Java digital
signature verification popup will occur).
Possible attack vectors are drive-by downloads just by visiting
malicious websites but also through emails, any XSS on unsuspicous
Proof of concept:
The exploit will not be published, but a video demonstrating this issue
has been created. It can be found at the following URL:
Vulnerable / tested versions:
The Forefront UAG Remote Access Agent 126.96.36.199 has been tested and
Vulnerable signed Java applet certificate SHA1 fingerprint:
According to Microsoft, the following systems are vulnerable:
- Microsoft Forefront Unified Access Gateway 2010
- Microsoft Forefront Unified Access Gateway 2010 Update 1
- Microsoft Forefront Unified Access Gateway 2010 Update 2
- Microsoft Forefront Unified Access Gateway 2010 Service Pack 1
Vendor contact timeline:
2011-04-22: Contacted vendor through secure (at) microsoft (dot) com [email concealed]
2011-04-22: Vendor: Very fast response, issue is being investigated:
MSRC case 11257
2011-04-28: Contacted vendor asking for updates
2011-05-17: Contacted vendor again asking for updates
2011-05-19: Contacted personal contact at MSRC asking for updates
2011-05-19: Answer from personal contact and from case manager: they
could reproduce the issue and are currently working on a fix
timeline, fix expected in the next few months
2011-05-30: Contacted vendor informing about our publishing schedule:
minimal information will be published on June 13th, mutual
customers will be informed in more detail, advisory and
video will be published when issue is fixed
2011-05-31: Answer from vendor to postpone the publishing date
2011-06-06: Proposal to the vendor to postpone the publishing date to
2011-06-06: Answer from vendor ok-ing it
2011-06-22: Update from vendor to postpone the publishing date again
2011-06-23: Update from vendor with more information about the fixing
2011-06-28: Contacted vendor accepting a possible postponing of the
July 12th publishing date, also offering dates for a
2011-06-28: Answer from vendor about dates for phone-conference call
2011-06-29: New offering of dates for phone-conference call
2011-07-13: Conference call
2011-08-21: Contacted vendor about updates
2011-08-22: Update from third party will be in october, so patch from
vendor will also be in october
2011-09-26: Contacted vendor about specific publishing dates
2011-09-26: Publishing dates confirmed by vendor for October 11th
We thank the people from Microsoft for their cooperation!
Update your Microsoft Forefront UAG.
Deactivate Java in your browser. Login to Microsoft Outlook Web App
should still be possible.
Add the entry for the following file:
# UAG Client MicrosoftClient.jar
Remove the affected trusted certificate (see fingerprint above) of
Microsoft Corporation from the Java control panel (jcontrol) from all
Don't fully trust signed Java applets (in general).
This workaround can be applied to MAC, Linux, and Windows systems by
modifying the appropriate blacklist file on each system.
If the VPN functionality (or any other) is absolutely needed, only
"trust" it on the company site (don't store the certificate forever and
verify each connect) and don't click on it when the Java certificate
popup occurs on other web pages.
SEC Consult Unternehmensberatung GmbH
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
EOF E. Demeter / 2011
[ reply ]
Copyright 2010, SecurityFocus