Pwning a thin client in less than two minutes

Pwning a thin client in less than two minutes by Roberto Suggi Liverani

From the post:

Have you ever encountered a zero client or a thin client? It looks something like this…

HP-T520

f yes, keep reading below, if not, then if you encounter one, you know what you can do if you read below…

The model above is a T520, produced by HP – this model and other similar models are typically employed to support a medium/large VDI (Virtual Desktop Infrastructure) enterprise.

These clients run a Linux-based HP ThinPro OS by default and I had a chance to play with image version T6X44017 in particular, which is fun to play with it, since you can get a root shell in a very short time without knowing any password…

Normally, HP ThinPro OS interface is configured in a kiosk mode, as the concept of a thin/zero client is based on using a thick client to connect to another resource. For this purpose, a standard user does not need to authenticate to the thin client per se and would just need to perform a connection – e.g. VMware Horizon View. The user will eventually authenticate through the connection.

The point of this blog post is to demonstrate that a malicious actor can compromise such thin clients in a trivial and quick way provided physical access, a standard prerequisite in an attack against a kiosk.

During my testing, I have tried to harden as much as possible the thin client, with the following options:

Physical security is a commonly overlooked aspect of network security. That was true almost twenty (20) years ago when I was a Novell CNE and that hasn’t changed since. (Physical & Network Security: Better Together In 2014)

You don’t have to take my word for it. Take a walk around your office and see what network or cables equipment could be physically accessed for five minutes or less by any casual visitor. (Don’t forget unattended workstations.)

Don’t spend time and resources on popular “threats” such as China and North Korea when the pizza delivery guy can plug a wireless hub into an open Ethernet port inside your firewall. Yes?

For PR purposes the FBI would describe such a scheme as evidence of advanced networking and computer protocol knowledge. It may be from their perspective. 😉 It shouldn’t be from yours.

Comments are closed.