I was hired to do a pentest of a thick client in the UK this week and found a load of fun and serious vulnerabilities and as such I decided to write up my findings (all sensitive data redacted, of course!).
So first things first I booted up the application using Echo Mirage to look through the traffic. First thing I noticed was that the application made a connection to a SQL Server box hosted elsewhere on the network. There was no API to do the calls and there was no SSO to do the authentication so instead it connected straight to the database.
Win #1 — Got the “sa” user account password for the database.
Moving on — SQL Injection
The application was riddled with SQL injection vulnerabilities. The application was running queries directly to the server which I could intercept and change how I wanted.
This could be performed in two ways:
- Using Echo Mirage to change the queries as they were sent over the wire directly to the server
- Using the application’s poor input validation to manipulate the queries as a standard SQL injection attack.
Win #2 — Lots of private data
For the SQL connections to be made, the application required a set of database credentials to use. These credentials were stored in a password-protected zip file which the application creates on first setup. The password is hardcoded somewhere throughout the application (couldn’t find where) to be used to unzip the archive and extract the XML config file.
As the connection had already been made to the database I knew that the application must have the password for the zip file somewhere. I checked the source code of the application (I’ll get to that bit) and couldn’t find it, so I moved on to the memory. I created a memory dump of the application when it was running and searched through it for any strings that may be useful (there were hundreds of thousands of strings). Instead of going through it manually I loaded up my Linux VM and mounted the shared drive and decided to grep through it. I knew the name of the zip file so it was just a case of grep’ing for that name. Lo and behold the password for the zip file was there in a function called “UnzipFile”.
I used the aforementioned password to unzip the file and found the credentials for 3 different database connections.
Win #3 — More SQL Creds!
Spawning a shell to Priv-Esc
The application was running on a laptop which didn’t allow cmd/powershell access, however the application ran as an administrator. I’m sure you can see where this is going.
The application had an area where you can run scripts. The scripts were from a third-party development tool. I googled around for the syntax and found you could run arbitrary system commands with a specific syntax. After that I could spawn a cmd shell which had administrative privileges.
Win #4 — Privilege Escalation and Shell
This was a fun learning experience for me, I’ve done thick client testing in the past but this test was especially fun. I learned a lot from it and the client was happy with the results.