Wyse Moves

by Maven

I came upon the Wyse boxes whilst having to work supporting them.

They are produced by Dell for various purposes and clients, including governments, large financial companies, and militaries within and outside 'Murica.

This is an overview of notes taken from a predominantly passive experience of the devices, and some research undertaken afterwards.

This is only a short article detailing common defaults for Wyse Xenith boxes, principally version 8.0_306 Wyse ThinOS firmware.

These boxes are designed to act as thin clients, and front links to Citrix ICA servers, using XenApp or Xendesktop, for example.

Reading the online manuals (such as www.rm.com/RMVirtual/Media/Downloads/wyse-xenith-administrators-guide.pdf) will tell you the following things, almost all of which are left activated on available systems:

1.)  Unplug the network cable prior to boot.  This leaves it in a suspended mode through which you can perform items #2 and #3.

2.)  The network settings are editable, providing you perform item #1.

3.)  You can force a reset if you perform item #1, if you can't normally.  That is, you can command the unit to go back to factory settings after reboot.  To do this, select reboot, and a check box appears to "Reset to Factory Defaults on Reboot."

Before I carry on the list, all the settings are controlled by an INI file called wnos.ini that is loaded from the server.

This file controls all the actions and permissions that the particular client has, and this file trumps the one that is cached locally on the DRAM.  Whilst wnos.ini contains the global settings, there is also the possibility of {username}.ini files for more finely grained control of user access.

This is supposed to make them more secure, but nothing says that spoofing this file is impossible - they are easily generated by tools such as "Wyse WNOS.INI Configuration Generator" located here: michaelkindred.wordpress.com/2012/03/28/wyse-wnos-ini-configuration-utility/

Let's continue the list of things that are possible:

4.)  You can easily view the current INI file on the DRAM and see its settings through the System Information link, which is normally available to most users.

5.)  If you are reset to the defaults, then pressing "Del" or "Shift' during boot will bring up the BIOS screen.  It will ask for a password, which is case sensitive.  By default it is: Fireport

6.)  There is a G-key reset "feature."  Here, you tap the "G" key during boot, if it is not restricted in the cached INI file or the device has not been reset.

7.)  If you can access the file store, then there is an Include=$mac.ini - and if the mac.ini file has an Exit option.  If you set Exit=yes then the file will return to wnos.ini.

If you set it to =all then loading the rest of wnos.ini is ignored - this means that the protection of all relevant INI files should be ensured to prevent manipulation of security parameter loading.

Remember: programmers put their includes first.  They are in the /wnos/inc/ directory.

Based on the manual mentioned in the URL above, the boot process checks for wnos.ini over an FTP connection.

If you were to use a dropbox such as Pwn Plug, pre-loaded with an INI file created using the tool referred to above, then you could theoretically force a client to boot with different options in the following way:

1. Disconnect network adapter form Wyse box.
2. Edit "Network Settings" to point to custom FTP source.
3. Allow client to boot using this INI file.
4. Reboot device.
5. So long as the WNOS file is of a newer version, it will supersede older versions of the file.

Let it be said that there is no signature checking deployed in this process explicitly, although without testing, this is only a theoretical attack vector.

Let it be said that the same is done for the BIOS image files, called xpress.rom - the process of reverse engineering the ROM might be tricky, and there are plenty of bugs on ThinOS.

The list of things that are controlled by the INI files is long.

It includes some baby scripting options, as well as the following options:

• $MAC  (MAC address - very unsure how this is used in communications)
• $IP
• $UN/$PW  (Username and password used for sign-on)
• $DelCertificate=all  (This would delete all certificates)
• VncPassword  (Readable in the INI file viewer)

There are many problems with ThinOS.

As it's a front for ICA, the handling of windows is very primitive - like, Windows 95 primitive.  It is not unknown for windows to be displayed, read-only, behind the "Locked Screen" login prompt, especially if these windows are running clients that make persistent connections.  If someone had been looking at sensitive information (personal data, for example), then this can be viewed by all.

They are worth attacking due to some zero-days that are still likely in the system, despite being reported to Dell through official channels.

They both have to do with the proprietary autoshutdown routine not being able to cope with persistent connections held open over an ICA connection.  Given how important the network connection is to the architecture of this Wyse system, such connections that are in common usage - connected to database clients and mainframes, etc. - should be handled properly.

The zero-day is as follows:

Wait just under two hours.  The system will start to autoshutdown.  The screen will wake up and the screensaver will come on.  It will display the user's session, with a "Cancel Shutdown" box.  This box will start looping, and so keep the session alive.  Move the mouse, view the screen, and click "Cancel".  You are now in that user's session, as the autoshutdown has the ability to defeat screen locks but not persistent connections, with disastrous consequences.

Lastly, note that ping and traceroute are available to all users by default.  Ping in particular supports DNS resolution of external clients behind the firewall, and can be used to check just this property of the network for, say, DNS tunneling.

This is the limit of our research.

We haven't managed to get ahold of a unit for firmware reversing or the like, primarily owing to other projects and time.  If others have access to such hardware, go ahead.  I am sure there will be much to discover.

Manuals that are more up to date and official (that also, notably, have the default BIOS password removed) can be found at www.wyse.com/manuals.