CVE-2014-1861
Affected versions: 4.3.3
4.3.1 and probably prior versions.
Jetro Cockpit Secure Browsing makes use of a client running on a
user's workstation in the enterprise's internal network, and a server
in the DMZ that connects on the client's behalf to the internet.
Attack scenario: User causes server to be compromised by an unpatched
or 0-day vulnerability. For example, a browser exploit, or a PDF
viewer exploit. The product should provide network separation and
sand-box such an attack. However the vulnerability found allows a
compromised server to execute code on the client machine using the
printing mechanism.
Specifically:
The client does not validate input coming from the server as a result
of a print-to-pdf event. The server can send an .EXE file instead of
the expected .PDF file and the client will execute the file upon
receiving it.
Full disclosure, demo and details here:
http://blog.quaji.com/2014/02/remote-code-execution-on-all-enterprise.html
Ronen Zilberman