Home Breaking Out Of Dell Wyse 30 Series ThinClients & How To Stop This

Breaking Out Of Dell Wyse 30 Series ThinClients & How To Stop This

This was post was updated 9/21/2018

ThinClients are somewhat ubiquitous in businesses. They reduce the overhead for onboarding new employees, are easy to manage, reduce the maintenance costs of desktops, and are all around good alternatives for companies who can spend money better elsewhere.

The 3040 comes locked down with no right-click functionality, you can't access windows explorer, and you can't open command prompt or the run dialogue/taskmanager.

There are very few default apps available.

However, ThinClients also have inherent flaws in them.

The one I am looking at today is the Wyse 3030. This is a full ThinClient with Windows 7 embedded into it with a RAM disk. Out of the box, it is pretty easy to set up and start working and connects easily to virtual hosts. Which is where the trouble begins.

This attack hinges on a few options in the VMWare Horizon Client being enabled, pictured below.

Once connected to a VM, you will be prompted whether or not you want to mount the local machine and its file system. And you are prompted for this after every time you restart the Wyse machine and connect to a host.

If you do mount the Wyse machines file system, you've pretty much gained root access.

Once your VDI machine is mounted, open the file path and locate the shortcut for command prompt we made and copy it to your Wyse machines desktop folder.

Back on the Wyse, you should now have a cmd icon.

Opening this will now open a command prompt window that was previously inaccessible for you.

Since the default admin password resets on reboot, this should be easy to locate on Google - provided it wasn't set up through Wyse management.

Once found, you can use runas to open an administrator powershell prompt within command prompt.

To stop this attack, you need to make a registry key on the ThinClient. This, unfortunately, can not be done from the Wyse management studio and has to be done from the local machine itself. Adding this key will stop file sharing on the machine [HKEY_LOCAL_MACHINE\Software\Policies\VMware, Inc.\VMware VDM\Client] “DisableSharing”=”true” (This remediation was taken from https://www.yannickvr.nl/vmware-horizon-view-client-disable-client-drive-redirection/)

This issue may seem small but many organizations have a need for securing sensitive data, and the fact that data can be copied down to a machine with no lockdown, and that this machine can be elevated to root easily, means there's an inherent security flaw in this design and ability to secure data.

Most companies lock down USB access on VM's but not the thin clients since they are just used as access machines. Even if you are able to lock down the USB level access on the ThinClient, it gets reset on every reboot. If you are able to configure that to be persistent, it still doesn't matter since the user is able to get a command prompt.
This post is licensed under CC BY 4.0 by the author.