Introduction to Thick Client Penetration Testing
Thick client penetration testing blog series aims to educate pen testers on Windows thick client application security testing. We will use DarkRelay's vulnerable Windows application for PoC and testing.
Join our Thick Client Penetration Testing course to learn more!
DarkRelay's Windows application is an intentionally vulnerable application designed and developed to teach pen testers about thick client penetration testing. If you use this application for malicious means or if your server is compromised via an installation of this application, DarkRelay does not hold any responsibility! It is recommended to install this vulnerable application on an isolated virtual machine.
Download DarkRelay's vulnerable Windows application from our official GitHub account here: https://github.com/DarkRelayLabs/VWA.
This application supports testing of the following types of security issues and more.
Unquoted Service Path
Information Leakage
Insecure Communication
Weak Named Pipe
Weak Memory Protection
Stack Buffer Overflow
Absence of Digital Signatures
COM Hijacking
Process Injection
If you have more questions, please write us at https://www.darkrelay.com/get-started.
Register for live instructor-led thick client penetration testing training today!!! https://www.darkrelay.com/thick-client-pt
EXE Hijacking
EXE Hijacking happens when a malicious executable placed in a directory is loaded by a process instead of the legitimate executable. This enables the malicious executable to load with the same privilege as the caller process, thus leading to privilege escalation.
Testing for Exe Hijacking
As an administrator, start the Process Monitor tool and apply the below filters to monitor a Windows process.
Result is Name Not Found
Path ends with exe
Operation is Create File
Download DarkRelay's vulnerable windows application from here https://github.com/DarkRelayLabs/VWA. Run VipravaInstaller_x64.msi installer as an administrator.
Process Monitor will list all the missing executables not found during the installer MSI execution. The results show that many executables are marked as Name Not Found, good candidates for EXE hijacking.
Beeper.exe is trying to load the executable PipeClient.exe from the folder C:\ProgramData\Viparva\. As the PipeClient.exe executable is not present in the folder, Beeper.exe fails to load the executable.
Navigate to folder C:\ProgramData\Viparva\ and check the folder properties by right-clicking the folder Viparva. From the properties, it is evident that the folder Viparva allows complete control to Authenticated Users. Thus any low-privileged user on the same system can modify the contents inside the folder Viparva.
As a standard user, run the below command to copy calc.exe from C:\Windows\System32\calc.exe to C:\ProgramData\Viparva\PipeClient.exe.
Copy C:\Windows\System32\calc.exe C:\ProgramData\Viparva\PipeClient.exeLog in to an Administrator account, launch the Process Monitor, and set the new filters below.
Path end with PipeClient.exe
Operation is Create File
Beeper.exe executes certain checks every minute. Thus next time when Beeper.exe process executes, it will load the PipeClient.exe, which in turn executes our payload calculator program. This is evident from the Process Monitor results shown below.
The calculator payload now runs with the same privileges as the Beeper.exe process, thus allowing a standard user to elevate their privileges from a low-privileged user to an administrator.
SYMLINK ATTACKS
Symbolic links or soft links act as a pointer to files or folders located elsewhere in the system. The symbolic link looks like regular files or directories, but when executed by the user or an application, they point to the target files or directories.
Symlinks can be created using commands such as mklink. Below we are creating symlink (symlinktodemo.txt) to file demo.txt using mklink. Open the command prompt as administrator and run the below commands.
echo "symlink" > demo.txt
mklink symlinktodemo.txt demo.txtTesting for Symlink based Attacks
ViparvaInstaller_x64.msi installer creates the folder C:\ProgramData\Viparva\Log. Inside this folder, it creates a file named Viparva.log. The Log folder permissions are poorly configured, as all authenticated users are provided with complete control of this Log folder.
The low-privileged user can abuse this to overwrite any file on Windows, thus causing arbitrary file write and DoS.
As a low-privileged user, before the VipravaInstaller_x64.msi is installed, create the Log folder using the command mkdir C:\ProgramData\Viparva\Log\.
Create a symlink using the tool createsymlink.exe from google. Download the tool from here https://github.com/googleprojectzero/symboliclink-testing-tools
CreateSymlink.exe -p "C:\ProgramData\Viparva\Log\Viparva.log" "C:\Windows\1.txt"As an administrator user, launch the ViparvaInstaller_x64.msi installer. Observe that 1.txt is created inside the Windows folder. All the logs will now be written to the 1.txt file instead of the C:\ProgramData\Viparva\Log\Viparva.log file.
The low-privileged user successfully writes content into any file and folders inside Windows, thus leading to DoS and privilege escalation.
Information Leakage
Applications sometimes store sensitive data such as passwords and keys in the memory, and it is beneficial to search inside the memory to look for sensitive data. Thick client applications or processes may store the sensitivity inside the binary, registry keys, and hidden files. An attacker can reverse engineer the binary to capture all the sensitive data.
Testing for Information Leakage
ViparvaInstaller_x64.msi installs applications inside the path C:\Program Files\Viparva\. The path contains the application Client.exe, which may contain some sensitive data. We will reverse-engineer the application Client.exe to identify the sensitive content. Open the x64 debugger x64_dbg\release\x64\x64dbg.exe and load the file C:\Program Files\Viparva\Client.exe.
Navigate to symbols and double-click on Client.exe to open the module inside x64dbg.
Right-click and select search for -> current modules -> string references
Inside the strings tab, we can see the sensitive data in plain text that is part of the executable. In this case, we see that Client.exe uses a password S3cur3P4ss.
Insecure Communication
Insecure communication happens when an application shares sensitive data, such as passwords and keys, over the network in plain text. Thick client applications or processes may share sensitive data without TLS, and an attacker can perform a man-in-a-middle attack to capture such sensitive data.
Testing for Insecure Communication
ViparvaInstaller_x64.msi installs applications inside the path C:\Program Files\Viparva\. The path contains applications Server.exe and Client.exe, which exchange some data with each other. Launch the application C:\Program Files\Viparva\Server.exe. Click on and allow access if prompted.
Launch the Echo mirage application, select Process Inject, and select Server.exe from the list.
Click on rules and make sure both Outbound and Inbound options to capture incoming/outgoing requests from server.exe are selected.
Launch C:\Program Files\Viparva\Client.exe. Echomirage captures the incoming data to Server.exe from the Client.exe. We can see that the sensitive data (password in this case) is captured by the Echomirage tool. Notice that Client.exe and Server.exe exchange the password using the plain-text protocol.
DLL Hijacking
DLL Hijacking happens by placing a malicious DLL in a directory (in the absence of a legitimate DLL), which is then loaded by the application instead of the legitimate DLL. This causes the malicious DLL to load with the same privileges as the application, thus causing a privilege escalation.
Windows follows the safe DLL search order pattern to load a specific library.
• The directory from which the application is loaded
• C:\Windows\System32
• C:\Windows\System
• C:\Windows
• The current working directory
• Directories in the system PATH environment variable
• Directories in the user PATH environment variable
When an application tries to load a DLL that doesn’t exist, the application continues to search across Windows directories. If dll is not found, the application continues to search in the current directory. Again if the dll is not found, the application searches in the directories that are part of the %PATH% environment variable.
Phantom DLL hijacking is a process where a low-privileged user with write privileges on the directories in search by the application could place a malicious DLL, which is eventually loaded by the application while the application searches for the legitimate DLL.
Testing for DLL Hijacking
Launch Procmon as administrator and apply the filters below to monitor the Viparva application for DLL hijacking issues.
Result is Name Not Found
The path ends with dll
Start the installation of ViparvaInstaller_x32.msi or ViparvaInstaller_xx64.msi. The process Beeper.exe tries to load a non-existent Shared.dll from the folder C:\ProgramData\Viparva. Also, note that the Beeper.exe process executes every 30 seconds.
The folder C:\ProgramData\Viparva allows complete control to Authenticated Users. This means a low-privileged local user could write into this folder.
Create a malicious payload using the source code below.
#include <windows.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
MessageBox(NULL, TEXT("pwnd!"), TEXT("dll hijack poc!"), 0);
return 0;
}Compile on a Linux machine using the below commands.
#install mingw
sudo apt install mingw-w64
#x32
i686-w64-mingw32-gcc -shared -o Shared.DLL Shared.cpp
#x64
x86_64-w64-mingw32-gcc -shared -o Shared.DLL Shared.cppLog in to Windows as a low-privileged user and place the PoC dll into the folder C:\ProgramData\Viparva. The PoC dll is successfully loaded by the process Beeper.exe. The low-privileged user thus obtained elevated access to the Windows system.
There are more vulnerabilities to find in this Vulnerable Windows Application, and we encourage the readers to discover them.
Join our Thick Client Penetration Testing course today to learn more!
Register for instructor-led online courses today!
Check out our free programs!
Contact us with your custom pen testing needs at: info@darkrelay.com or WhatsApp.