Jetro Cockpit Secure Browsing vulnerability - Client missing input validation allowing RCE

CVE-2014-1861

Affected versions: 4.3.3
4.3.1 and probably prior versions.

Jetro Cockpit Secure Browsing makes use of a client running on a
user's workstation in the enterprise's internal network, and a server
in the DMZ that connects on the client's behalf to the internet.

Attack scenario: User causes server to be compromised by an unpatched
or 0-day vulnerability. For example, a browser exploit, or a PDF
viewer exploit. The product should provide network separation and
sand-box such an attack. However the vulnerability found allows a
compromised server to execute code on the client machine using the
printing mechanism.
Specifically:

• If an attacker gains user-level RCE on the server, the found issue
  will allow RCE on the same user's workstation in the internal network.
• If an attacker gains elevated privileged RCE on the server (using a
  PE vulnerability), the found issue will allow RCE on any user's
  workstation in the internal network.

The client does not validate input coming from the server as a result
of a print-to-pdf event. The server can send an .EXE file instead of
the expected .PDF file and the client will execute the file upon
receiving it.

Full disclosure, demo and details here:
http://blog.quaji.com/2014/02/remote-code-execution-on-all-enterprise.html

Ronen Zilberman