top of page

Thick Client Penetration Testing: Uncovering Vulnerabilities in Desktop Applications

Updated: Feb 29

Introduction to Thick Client Penetration Testing


Thick client penetration testing blog series aims to educate pen testers on Windows thick client application security testing. We will use DarkRelay's vulnerable Windows application for PoC and testing.



DarkRelay's Windows application is an intentionally vulnerable application designed and developed to teach pen testers about thick client penetration testing. If you use this application for malicious means or if your server is compromised via an installation of this application, DarkRelay does not hold any responsibility! It is recommended to install this vulnerable application on an isolated virtual machine.


Download DarkRelay's vulnerable Windows application from our official GitHub account here: https://github.com/DarkRelayLabs/VWA.

This application supports testing of the following types of security issues and more.

If you have more questions, please write us at https://www.darkrelay.com/get-started.


Register for live instructor-led thick client penetration testing training today!!! https://www.darkrelay.com/thick-client-pt


EXE Hijacking


EXE Hijacking happens when a malicious executable placed in a directory is loaded by a process instead of the legitimate executable. This enables the malicious executable to load with the same privilege as the caller process, thus leading to privilege escalation.


Testing for Exe Hijacking

As an administrator, start the Process Monitor tool and apply the below filters to monitor a Windows process.


Result is Name Not Found

Path ends with exe

Operation is Create File

thick client application security testing

Download DarkRelay's vulnerable windows application from here https://github.com/DarkRelayLabs/VWA. Run VipravaInstaller_x64.msi installer as an administrator.

thick client application security testing

Process Monitor will list all the missing executables not found during the installer MSI execution. The results show that many executables are marked as Name Not Found, good candidates for EXE hijacking.

thick client application security testing

Beeper.exe is trying to load the executable PipeClient.exe from the folder C:\ProgramData\Viparva\. As the PipeClient.exe executable is not present in the folder, Beeper.exe fails to load the executable.


Navigate to folder C:\ProgramData\Viparva\ and check the folder properties by right-clicking the folder Viparva. From the properties, it is evident that the folder Viparva allows complete control to Authenticated Users. Thus any low-privileged user on the same system can modify the contents inside the folder Viparva.

thick client application security testing

As a standard user, run the below command to copy calc.exe from C:\Windows\System32\calc.exe to C:\ProgramData\Viparva\PipeClient.exe.

Copy C:\Windows\System32\calc.exe C:\ProgramData\Viparva\PipeClient.exe

Log in to an Administrator account, launch the Process Monitor, and set the new filters below.


Path end with PipeClient.exe

Operation is Create File

thick client application security testing

Beeper.exe executes certain checks every minute. Thus next time when Beeper.exe process executes, it will load the PipeClient.exe, which in turn executes our payload calculator program. This is evident from the Process Monitor results shown below.

thick client application security testing

The calculator payload now runs with the same privileges as the Beeper.exe process, thus allowing a standard user to elevate their privileges from a low-privileged user to an administrator.


SYMLINK ATTACKS


Symbolic links or soft links act as a pointer to files or folders located elsewhere in the system. The symbolic link looks like regular files or directories, but when executed by the user or an application, they point to the target files or directories.


Symlinks can be created using commands such as mklink. Below we are creating symlink (symlinktodemo.txt) to file demo.txt using mklink. Open the command prompt as administrator and run the below commands.

echo "symlink" > demo.txt
mklink symlinktodemo.txt demo.txt

Testing for Symlink based Attacks


ViparvaInstaller_x64.msi installer creates the folder C:\ProgramData\Viparva\Log. Inside this folder, it creates a file named Viparva.log. The Log folder permissions are poorly configured, as all authenticated users are provided with complete control of this Log folder.

thick client application security testing

The low-privileged user can abuse this to overwrite any file on Windows, thus causing arbitrary file write and DoS.


As a low-privileged user, before the VipravaInstaller_x64.msi is installed, create the Log folder using the command mkdir C:\ProgramData\Viparva\Log\.

Create a symlink using the tool createsymlink.exe from google. Download the tool from here https://github.com/googleprojectzero/symboliclink-testing-tools

CreateSymlink.exe -p "C:\ProgramData\Viparva\Log\Viparva.log" "C:\Windows\1.txt"

As an administrator user, launch the ViparvaInstaller_x64.msi installer. Observe that 1.txt is created inside the Windows folder. All the logs will now be written to the 1.txt file instead of the C:\ProgramData\Viparva\Log\Viparva.log file.

thick client application security testing

The low-privileged user successfully writes content into any file and folders inside Windows, thus leading to DoS and privilege escalation.


Information Leakage


Applications sometimes store sensitive data such as passwords and keys in the memory, and it is beneficial to search inside the memory to look for sensitive data. Thick client applications or processes may store the sensitivity inside the binary, registry keys, and hidden files. An attacker can reverse engineer the binary to capture all the sensitive data.


Testing for Information Leakage


ViparvaInstaller_x64.msi installs applications inside the path C:\Program Files\Viparva\. The path contains the application Client.exe, which may contain some sensitive data. We will reverse-engineer the application Client.exe to identify the sensitive content. Open the x64 debugger x64_dbg\release\x64\x64dbg.exe and load the file C:\Program Files\Viparva\Client.exe.

thick client application security testing

Navigate to symbols and double-click on Client.exe to open the module inside x64dbg.

thick client application security testing

Right-click and select search for -> current modules -> string references

thick client application security testing

Inside the strings tab, we can see the sensitive data in plain text that is part of the executable. In this case, we see that Client.exe uses a password S3cur3P4ss.

thick client application security testing

Insecure Communication


Insecure communication happens when an application shares sensitive data, such as passwords and keys, over the network in plain text. Thick client applications or processes may share sensitive data without TLS, and an attacker can perform a man-in-a-middle attack to capture such sensitive data.


Testing for Insecure Communication


ViparvaInstaller_x64.msi installs applications inside the path C:\Program Files\Viparva\. The path contains applications Server.exe and Client.exe, which exchange some data with each other. Launch the application C:\Program Files\Viparva\Server.exe. Click on and allow access if prompted.

thick client application security testing

Launch the Echo mirage application, select Process Inject, and select Server.exe from the list.

thick client application security testing

Click on rules and make sure both Outbound and Inbound options to capture incoming/outgoing requests from server.exe are selected.

thick client application security testing

Launch C:\Program Files\Viparva\Client.exe. Echomirage captures the incoming data to Server.exe from the Client.exe. We can see that the sensitive data (password in this case) is captured by the Echomirage tool. Notice that Client.exe and Server.exe exchange the password using the plain-text protocol.

thick client application security testing

DLL Hijacking


DLL Hijacking happens by placing a malicious DLL in a directory (in the absence of a legitimate DLL), which is then loaded by the application instead of the legitimate DLL. This causes the malicious DLL to load with the same privileges as the application, thus causing a privilege escalation.


Windows follows the safe DLL search order pattern to load a specific library.


• The directory from which the application is loaded

• C:\Windows\System32

• C:\Windows\System

• C:\Windows

• The current working directory

• Directories in the system PATH environment variable

• Directories in the user PATH environment variable


When an application tries to load a DLL that doesn’t exist, the application continues to search across Windows directories. If dll is not found, the application continues to search in the current directory. Again if the dll is not found, the application searches in the directories that are part of the %PATH% environment variable.


Phantom DLL hijacking is a process where a low-privileged user with write privileges on the directories in search by the application could place a malicious DLL, which is eventually loaded by the application while the application searches for the legitimate DLL.


Testing for DLL Hijacking


Launch Procmon as administrator and apply the filters below to monitor the Viparva application for DLL hijacking issues.


Result is Name Not Found

The path ends with dll

thick client application security testing

Start the installation of ViparvaInstaller_x32.msi or ViparvaInstaller_xx64.msi. The process Beeper.exe tries to load a non-existent Shared.dll from the folder C:\ProgramData\Viparva. Also, note that the Beeper.exe process executes every 30 seconds.

thick client application security testing

The folder C:\ProgramData\Viparva allows complete control to Authenticated Users. This means a low-privileged local user could write into this folder.

thick client application security testing

Create a malicious payload using the source code below.

#include <windows.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
 MessageBox(NULL, TEXT("pwnd!"), TEXT("dll hijack poc!"), 0);
 return 0;
}

Compile on a Linux machine using the below commands.

#install mingw
 sudo apt install mingw-w64

#x32
 i686-w64-mingw32-gcc -shared -o Shared.DLL Shared.cpp

#x64
 x86_64-w64-mingw32-gcc -shared -o Shared.DLL Shared.cpp

Log in to Windows as a low-privileged user and place the PoC dll into the folder C:\ProgramData\Viparva. The PoC dll is successfully loaded by the process Beeper.exe. The low-privileged user thus obtained elevated access to the Windows system.

thick client application security testing

There are more vulnerabilities to find in this Vulnerable Windows Application, and we encourage the readers to discover them.


Join our Thick Client Penetration Testing course today to learn more!

 

Register for instructor-led online courses today!


Check out our free programs!


Contact us with your custom pen testing needs at: info@darkrelay.com or WhatsApp.


6,871 views

Recent Posts

See All

1 Comment


Net Hunter
Net Hunter
May 18, 2022

Awesome !! Please add write-ups for all the vulnerabilities.

Like
bottom of page