RE: Client Side Exploits

[Shane Anglin <Shane.Anglin () knology com>]

The potential exists for a client-side attack to allow a hacker to connect back to the victim machine, then potentially 
load software on the victim machine, and scan the victim's network for other machines using the victim's machine as a 
pivot point, and attack other machines on the inside... and if successful, the hacker could compromise another internal 
machine and do the same as the initial victim... it's all potential as the skills & motives of the hacker determine 
outcome, tempered by any inside protections, such as IDS/IPS, etc.  So, potentially, the inside server that never 
opened the malicious PDF ends up being indirectly compromised.

Shane Anglin

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of cribbar
Sent: Friday, March 25, 2011 9:45 AM
To: pen-test () securityfocus com
Subject: Client Side Exploits


Can anyone of you pen-testers give me some basic advice on client side exploits and what potential impact they can have 
on server-side infrastructure, and are these included in pen-tests. In my less than expert opinion when it comes to 
client side exploits, that spells out to me stuff like adobe reader, whereby to exploit an un-patched version of adobe, 
requires a hacker to somehow trick a user into opening a malicious PDF which in turn I assume lets the hacker run some 
sort of code under the privilege of that user. 

I have read hackers typically target users and unpatched vulns on user’s workstations in the network/domain that have 
access to specific servers as opposed to targeting unpatched vulns on the server itself, is that true? Are unpatched 
vulns on servers and server apps never targeted from the outside, i.e. via dodgey email, malicious websites etc?

Does this mean then that if you had an un-patched version of adobe reader on say a windows 2003 file server, there’s no 
real risk? Admins don’t use the server to browse the net, open email etc, so how can you trick an admin into opening a 
dodgey PDF on a server? 

Back to the running of malicious code once you have tricked a user into opening your malicious PDF, what kind of code 
is it? What language? And how can this code attack the server to get to whatever sensitive data you were after? If the 
server has been hardened with strong passwords, ACL’s, patches etc is it going to stand up to this malicious code 
execution? The thing that worries me is if malware can execute code that can bypass windows security features, so 
technically could a malicious insider if they had that code. I just wondered what type of things the code will try and 
attack if its sole focus is getting a copy of sensitive data on a file server.

And last but not least, another thing that baffles me, is if this dodgy PDF gets onto a workstation, it then executes 
its malicious code and gets onto an admin share on a windows server, and finds 20 word documents full of sensitive 
restricted data, how does it get these word documents out and into the hands of the hacker? I just cant see how that 
stage works.

And is this the kind of thing you include in your pen-tests, i.e. send a shed load of dodgey PDF to corporate users via 
email and see what kind of access and data it gets you access too?

Sorry about my ignorance but I have read some articles on this subject and it makes less sense, so I thought I’d ask 
the experts. If you can put it in lay persons terminology that would help me no end.

Thanks

--
View this message in context: http://old.nabble.com/Client-Side-Exploits-tp31238041p31238041.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------