Client-Side Attacks

In this age of automatic patching, increased anti-virus usage, and operating system level application protection, it is possible to encounter situations where you just don't have a direct remote exploit to use against a target. At these times client-side attacks are an excellent method of gaining access to an otherwise impenetrable host and a foothold into the target network. Client-side exploits generally require some sort of user interaction, such as opening a file or navigating to a malicious website. Once a client has been compromised it can be used as launch point for attacks further within the network. Even a seemingly low-value asset can give a penetration tester the visibility into the target domain required for a successful engagement.

Spear-phishing is a targeted email attack at an organization for the purposes of collecting information or attempting to exploit unwary users. The focused and limited nature of a spear-phishing attack make it an excellent tool for the penetration tester. Appropriating the identity of a high ranking company official by way of a forged email makes convincing users to download and run an executable trivial. A small amount of research will usually reveal the name, title, and contact information for an IT Director or similarly titled individual that makes a good candidate for spoofing. Adding this information to the target's standard email footer, in addition to forging the from address of the message, creates a convincing template for malicious instructions.

Electronic documents are designed to be distributed and it is often part of a person's job duties to accept documents from untrusted sources. For instance, HR departments receive electronically submitted resumes that may come in a variety of formats. PDF is a popular electronic document format that has been plagued with a number of vulnerabilities. Although there exist alternatives to Adobe's official PDF reader these too tend to be affected due to shared logic (they are all trying to do the same thing, after all: process and display PDF documents). Microsoft Word and Excel are other popularly exchanged document formats that have had frequent and widespread vulnerabilities. By using recent exploits, or targeting knowingly vulnerable users, a pentester can compromise a user in the course of their normal daily activities. Metadata contained in documents hosted or provided by the target organization can give valuable insight into users and application versions in use.

Client-side exploits can also be delivered via non-standard mechanisms. Autorun is a feature of Microsoft Windows that will automatically launch executables on the insertion of removable media. Malicious compact discs could be mailed to a target disgused as marketing material or otherwise enticing packaging. U3-enabled USB thumb drives containing autorun agents can be dispersed in common areas or covertly attached to a workstation. In a recent incident, an attacker left fraudulent parking tickets on vehicles instructing victims to visit a particular URL. The site referenced by the ticket would attempt to install malicious software on any visitors.

Defense against client-side exploits requires a multilevel approach. Applications should be patched regularly and as quickly as can be successfully implemented. Automated controls such as web and email gateways, intrusion detection or prevention systems, and host-based anti-malware provide significant protection if properly configured and maintained. Egress filtering limits the channels that agents are able to communicate with their controller outside the firewall. Most importantly, users need to be trained in identifying suspicious communications. No one solution can eliminate the dangers inherent to client-side attacks, but a strong defense-in-depth position will reduce risk to a manageable level.