We often hear about vulnerabilities in client software, such as web browsers and email applications, that can be exploited by malicious content. The repeated stories about botnets, infected web sites, and viruses which infect us with malicious documents, movies, and other content have ingrained the concept of an exploitable client in our minds.
In this blog entry, we will discuss auditing client software for vulnerabilities and describe the three different types of client-side exploits and how they can impact the risk of your network.
Auditing Client-Side Exploits
The largest misconception I’ve encountered from security auditors who test client-side software is a focus on the operating system or application. Nessus audits hundreds of different manufacturer patches and will readily identify issues in an operating system that were not shipped with the operating system.
The solution is to perform a complete patch audit of a scanned system. Passive Vulnerability Scanner will identify client vulnerabilities based on DNS lookups, web queries, dedicated client protocols, and analysis of unencrypted conversations over FTP, SMTP, IMAP, SMB, and many others.
Type 1 – Traditional Client-side Exploits
These exploits target browsers, browser plugins, and email clients. Today, there is a fine line between email and web applications since many email applications share libraries when viewing emails that have been formatted with HTML content.
Type 2 – Clients with Exposed Services
Many types of client software will actually open up a socket and run a service that communicates on the network. If the host is directly connected to the Internet or to mobile broadband networks and it does not have a firewall, it may be attacked directly without any need for user interaction such as opening an email.
Within Nessus 5, this can be refined further within your scan policy by adding a filter for a “plugin type” of “remote” as compared to a credentialed “local” check. Combinations can be further added to target specific classes of software.
Type 3 – Clients Exposed to Hostile Servers
This type of client exploit may seem very similar to our first type, but the differentiation is that the server isn’t hosting hostile data –- the server itself can be manipulated to attack a client directly.
Vulnerabilities like this can be used to hop through firewalls in a much more direct manner than by attempting to compromise an administrator’s system with some sort of Internet-based social engineering exploit. If the administrative access to the DMZ systems is allowed from an internal network and there is vulnerable client software in use, a DMZ server under control of an attacker could modify the service to conduct attacks against the client.
Some example vulnerabilities detected by Nessus that could be used to run code from a maliciously controlled server:
Code execution in FTP clients:
21565 FileZilla FTP Client Unspecified Overflow
Code execution in SSH clients:
37021 FreeBSD : putty — buffer overflow vulnerability in ssh2 support (19518d22-2d05-11d9-8943-0050fc56d258)
Code execution in SNMP clients:
38099 USN-685-1 : net-snmp vulnerabilities
Code execution in web clients:
49102 USN-982-1 : wget vulnerability
45133 Firefox < 3.6.2 Multiple Vulnerabilities
51162 MS10-090: Cumulative Security Update for Internet Explorer (2416400)
To find out further code that can help your organization to enhance your network security explore the information and solution by E-SPIN or contact us for your project or operation requirements.