Thick Client Pentesting: Architecture, Tools and Testing Approaches

Introduction: Thick Client

Thick client applications, called desktop applications, are full-featured computers that are connected to a network. Unlike thin clients, which lack hard drives and other features, thick clients are functional whether they are connected to a network or not.

While a thick client is fully functional without a network connection, it is only a “client” when it is connected to a server. The server may provide the thick client with programs and files that are not stored on the local machine’s hard drive.

Example Application:

• Firefox
• Chrome
• Burp Suite
• OWASP ZAP
• Zoom
• Desktop games
• Music Player
• Text editor

Common Architectures of Thick Clients.

• Two Tier
• Three Tier

Two Tier: The two-tier is based on Client-Server architecture. The two-tier architecture is like a client-server application. Direct communication takes place between client and server. There is no intermediate between client and server.

Two Tier Architecture

Example Applications:

• Desktop Games
• Music Player
• Text Editor

Three Tier: The three-tier is based on Client – Application Server – Database Server architecture. The Application server is the mediator between client and server, it transfers data from client to server and vice versa.

Three Tier Architecture

Example Applications:

• Firefox
• Chrome
• Burp Suite
• Zap Proxy

As we have understood what thick client is and its architecture, now we’ll move on to penetration testing approach.
We have shown some vulnerabilties of thick client

Starting checks (Enumeration)

• Application Architecture
  • Business Logic
• Platform Mapping
  • Understanding Application & Infrastructure
• Languages and Frameworks
• Network Connection with WireShark/TCPview

Common Tools and Vulnerabilities.

Tools

• CFF Explorer
• Wireshark/TCPview/
• Procmon
• Detect It Easy
• Echo Mirage

Vulnerabilities

• Hardcoded Sensitive Information in Code & Config/Log files
• Unquoted Service Paths
• DLL Hijacking
• SQL Injection
• Lack of code obfuscation
• Buffer Overflow

Hardcoded Sensitive information in Code & Config/Log files

Some time developers forget to remove hardcoded sensitive information in the code and config/log files that can be used by malicious actors to perform severe attacks such as authentication bypass, unauthorized access of the server, unauthorized access of APIs, etc.

Hardcoded sensitive information, such as username/passwords, server IP addresses, and encryption keys, can expose the information to attackers. Anyone who has access to the class/exe/DLL files can decompile and discover sensitive information.

To decompile the application, we just need to open the exe file in dnspy tools, as shown below.

Tools dnspy

Vulnerable Application: Damm Vulnerable Thick Client App (DVTA)

Similarly, config & log files can be reviewed for sensitive information. We often see cases where the application reveals sensitive information in these files.

Note: if the exe file is obfuscated, we can use the de4dot.exe tool to deobfuscate it (There are a few known techniques to deobfuscate code).

Unquoted Service Paths:

When a service is created whose executable path contains spaces and isn’t enclosed within quotes, it leads to Unquoted Service Path vulnerability, which allows an attacker to gain elevated privileges.

After finding the vulnerable service, we need to check the folder permissions. If low/same privilege users have writeable access, privilege escalation is possible.

Command: wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:windows” |findstr /i /v “””

Wmic command: The WMI command-line (WMIC) utility provides a command-line interface for Windows Management Instrumentation (WMI). WMIC is compatible with existing shells and utility commands.

Unqouted Serverice Path

Vulnerable Application: Sandboxie-Plus v0.7.4

DLL Hijacking

DLL Hijacking is a way for attackers to execute malicious code on the system. This means that if an attacker can place a file on the system, that file could be executed when the user runs an application vulnerable to DLL Hijacking.

If the application looks for some DLL files that are not present in the location during the runtime, then an attacker can place a malicious DLL file with the same name in that location and escalate the privilege.

Tools Procmon.exe

DLL Hacking

Vulnerable Application: Damm Vulnerable Thick Client App (DVTA)

As shown in the screenshot, the path is missing. An attacker can create the folder and DLL file and escalate the privilege.

SQL Injection

A SQL injection attack consists of the insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack in which SQL commands are injected into data-plane input to affect the execution of predefined SQL commands.

According to OWASP

The application uses an SQL server(on the same machine) to maintain the data such as credentials, etc., and if the application has login functionality, that might be vulnerable to SQL injection. An attacker can bypass the authentication and gain access to the application.

Note:

• We have seen this case in 2 tier applications since they use a SQL/SQLite/MSaccess Server/file to maintain data on the same machine.
• It is often observed that 3 tier application uses API and that might be vulnerable to SQL injection.

Lack of code obfuscation

Let’s understand what code obfuscation is

Code obfuscation

Code obfuscation is the process of modifying an executable so that it is no longer useful to a malicious actor but remains fully functional. While the process may modify actual method instructions or metadata, it does not alter the program’s output.

Lack of code obfuscation

When developers do not obfuscate the code when compiling the binary, an attacker can decompile the code using some tools such as JD GUI & Dnspy.

To decompile the application, we just need to open the exe file in dnspy tools, as shown below.

Tools dnspy

Code Decompile

Vulnerable Application: Damn Vulnerable Thick Client App (DVTA)

Similarly, we can decompile the jar file using JD-GUI.

Buffer Overflow

A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program tries to put data in a memory area past a buffer. In this case, a buffer is a sequential section of memory allocated to contain anything from a character string to an array of integers. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code.

According to OWASP

Some vulnerable applications: SLmail 5.5, Golden FTP Server 4.70, Ultra MiniHTTPd 1.2, CloudMe 1.11.2, Easy File Sharing Web Server 7.2.

You can practice on these applications. These are vulnerable to a stack-based buffer overflow.

References

• https://resources.infosecinstitute.com/topic/practical-thick-client-application-penetration-testing-using-damn-vulnerable-thick-client-app-part-1/
• https://www.softwaretestingclass.com/what-is-difference-between-two-tier-and-three-tier-architecture/
• https://techterms.com/definition/thickclient
• https://github.com/secvulture/dvta/tree/master/DVTA/DVTA/bin/Release
• https://owasp.org/www-community/attacks/SQL_Injection
• https://owasp.org/www-community/vulnerabilities/Buffer_Overflow
• https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
• https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmic
• https://www.exploit-db.com/exploits/49842
• https://github.com/sandboxie-plus/Sandboxie/releases/download/0.7.4/Sandboxie-Plus-x64-v0.7.4.exe
• https://www.exploit-db.com/exploits/42159
• https://download.cnet.com/CFF-Explorer/3000-2383_4-10431156.html
• https://www.wireshark.org/download.html
• https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
• https://github.com/horsicq/Detect-It-Easy
• https://sourceforge.net/projects/echomirage.oldbutgold.p/

About Payatu

Payatu is a Research Focused, CERT-In impaneled Cybersecurity Consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.