Believe it or not, organizations are getting better at protecting network perimeters. Companies with mature security programs, such as financial institutions, usually make a point of allowing only certain ports through the firewall and hardening Internet-accessible servers to minimize attack surface. As a result, when searching for low-hanging fruit, attackers are paying closer attention to client-side vulnerabilities on internal workstations. So should you, when performing security assessments.
A client-side vulnerability often takes the form of unpatched software on a desktop or laptop. Depending on the nature of the vulnerable application, an attacker could exploit it via a specially-crafted email attachment or by convincing the user to visit a malicious Web site. Web browsers are common targets. Other attractive targets include Adobe Acrobat, Macromedia Flash, QuickTime and Java Runtime Environment.
Modeling real-world attacks
When assessing your organization's exposure to such threats via client-side penetration testing, you should mimic two common scenarios:
- Attackers targeting specific employees with messages carrying malicious payload or by pointing the victim to a malicious Web site.
- Large-scale client-side infection campaigns that rely on victims to visit compromised Web sites that deliver client-side exploits, possibly through malicious banner ads.
A related attack tactic involves relying on social engineering to convince the user to install a backdoor program without bothering to exploit a software vulnerability. The attacker may initiate contact through an email or an instant message, enticing the victim to launch an attachment or to download and run some program.
The mechanics of client-side testing
Here are three methods for testing your organization's exposure to client-side attacks during a security penetration test, listed in the increasing degree of intrusiveness:
- Track the clicks (low impact). Craft an official-looking email to entice the recipient to click on a link. Set up a Web site to which you will direct the individuals. The Web site won't try to exploit a vulnerability or attempt to install software on the workstation. It will merely keep track of the number of people who clicked on the link. This helps estimate the scope of the incident the organization would face had this been a real attack. A variation on this technique uses instant messaging, instead of email. If you'd like to know who visited the Web site, provide a unique link to each recipient.
- Plant a back door without exploitation (medium impact). Employ the social engineering tactics described in the click-tracking method above. This time, instead of simply counting its visitors, the Web site should present the person with a request to download a program of your choice. An unfortunate number of people will install the program from a third-party Web site given the right explanation and that's where your social engineering skills will come in play. Depending on the scope of your testing, your program can do nothing, or it could open a back door to the compromised system. You can track the number of downloads and program installations to collect metrics.
- Exploit a client-side vulnerability (high impact). Follow the methodology outlined in the previous methods to bring the person to your Web site. In this case, exploit a client-side vulnerability to plant the backdoor on the workstation. The biggest benefit of this scenario is that it offers high shock value to the organization that may otherwise disregard the assessment's findings. The biggest disadvantage is that unless you target just the right vulnerability, you may fail to exploit any flaws and have to revert to the simplest click-tracking scenario.
If you are looking to install software on the client-system in the last two scenarios, penetration testing tools such as Metasploit, CANVAS, and CORE IMPACT can be beneficial. Each offers a mechanism for targeting client-side vulnerabilities, and may also assist in generating a backdoor program for the medium-impact scenario described above.
If nothing else, identify client-side vulnerabilities
Assessing an organization's exposure to client-side threats via penetration testing is not for everyone. If you cannot justify a penetration test that employs the methods described earlier, at least examine the workstations to identify missing patches. Such a vulnerability assessment may lack the pizzazz of attempting to plant a backdoor; however, it will highlight the type of vulnerabilities an attacker may target via client-side techniques. Your examination should include both mainstream software from Microsoft, as well as applications from vendors such as Adobe, Apple and Sun.
As attackers shift their tactics to targeting client-side vulnerabilities, organizations must keep up by assessing their exposure to such threats. By incorporating client-side testing into your security assessments, you will be able to collect metrics for that will help you prioritize your security-improvement efforts.
About the author:
Lenny Zeltser is the New York security consulting leader at SAVVIS, Inc. He is also a senior faculty member at SANS Institute, where he teaches a course on reverse-engineering malware.
