0

I'm studying application security and now I have a question which I couldn't find a good answer.

Assume I have a vulnerable desktop application in my virus-free windows 7 PC. Let's say when the file size > 10 MB, it causes to an exception in notepad.(just an assumption, you might suggest another scenario). Who is the potential attacker and how is s/he going to hack it? I mean will he attack over the Internet somehow or will some virus use notepad for privilege escalation or something else? What are the possible attack scenarios? Whom should I save the PC from?

smttsp
  • 366
  • 2
  • 12
  • the question is not clear, you want know which attack can be done with your mentioned scenario? or you want know which type of attack are there related to any desktop application? – Ali May 01 '15 at 18:46
  • any kind of of attack related to desktop application is acceptable. I gave it as an example. If you give general view about attacks to desktop applications it would be better. – smttsp May 01 '15 at 18:49
  • Simple: convince you to open crafted file. Put shellcode in file and ensure that it's exactly what'll be executed when you open the file. Reap the benefits of a fully privileged application doing all that your session can do. Desktop security is still terrible, and too few applications are sandboxed (and, albeit this is still to be formally proved, I have a strong assumption that many apps are unsandboxable because of the process in which sandboxes are developed). – Steve Dodier-Lazaro May 01 '15 at 21:19
  • I'm feeling too lazy to type a full-blown answer but do look at http://security.stackexchange.com/questions/65485/same-origin-policy-for-desktop-application/65487#65487 and http://security.stackexchange.com/questions/63097/should-i-get-an-antivirus-for-ubuntu/63101#63101 – Steve Dodier-Lazaro May 01 '15 at 21:19

3 Answers3

2

Whom should I save the pc from?

If the desktop application is not listening on a port, it means if there is a potential vulnerability, it can only be exploited locally. The attacker might have exploited another vulnerability and now looking for privilege escalation or persistence. Don't always assume a vulnerable desktop application would result in privilege escalation though. It depends on the vulnerability itself. For example, if the application is running with standard user privileges, even if the attacker exploits it in some way (e.g. buffer overflow, arbitrary file access etc), it won't normally result in privilege escalation. If the application is running with administrative or more privileges, then any vulnerability in the application would result in attacker gaining the same privileges the application is running with.

void_in
  • 5,541
  • 1
  • 20
  • 28
  • Most non-corporate desktops (and many corporate ones) are run by a single user, and the attacker might not need administrative privileges to monetize their attack. Scraping your files is already very valuable. Besides Linux and OSX users, and all the users who disable UAC, are unprotected from keyloggers, "replacement" rogue apps, etc. and there probably are ways even with UAC to leave some code running behind (possibly as simple as leaving the app running as a daemon and changing its config files to re-exploit it on start up). – Steve Dodier-Lazaro May 01 '15 at 21:22
  • @SteveDL You are absolutely right. Gaining administrative or system (even DA) privilege is no more the goal of any attacker. The objective is only to gain access to the data and that can be achieved easily. There are also additional indirect attack surfaces as well (e.g. hard coded credentials in the exe which works on other machines etc). OP asked from whom he needs to to protect the application and the simple answer is the user no matter what their intent. Thanks for your valuable input. – void_in May 02 '15 at 07:43
  • I feel we're misunderstanding each other. I did not mean that as a sysadmin, OP should only protect the system from its users. What does that even mean, forbid access to the machine? Evidently if the apps are installed and used it's because the users might need them to be productive, hence the solution cannot be to get in their way. Look up http://discovery.ucl.ac.uk/20247/ and http://discovery.ucl.ac.uk/1424472/. A less disruptive solution could be to isolate risky apps from one another and/or to isolate sensitive documents and make them accessible on a per-need basis. – Steve Dodier-Lazaro May 02 '15 at 11:58
  • Also, I forgot http://discovery.ucl.ac.uk/1426546/ which explains why users won't comply if you treat them as enemies. – Steve Dodier-Lazaro May 02 '15 at 12:02
  • By protection I didn't mean to lock it. Protection means to make sure the application is only used in an intended way. Whatever protection we put in place in an application such as protection against bof, authentication, authorization etc, it is for both legitimate as well as malicious users. Protection should always be independent of the particular set of users due to the fact that the same users can perform malicious tasks as well. That is why I said protect (from malicious usage) the desktop application from everyone. Hope it is clear now. – void_in May 02 '15 at 14:01
  • Edited the answer as well. Hopefully it is more clear now. – void_in May 02 '15 at 14:14
  • You almost *never* need to defend against the legitimate user, especially in the case of standard desktop apps, because **legitimate users would achieve nothing by hacking such applications that they cannot already do**. The main danger for them is for third-party services, remote network ends used by the apps, or malicious third-parties sending crafted files to cause the app to misbehave and execute code the legitimate users had not intended to see executed. – Steve Dodier-Lazaro May 02 '15 at 15:08
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/23374/discussion-between-void-in-and-steve-dl). – void_in May 02 '15 at 15:16
2

Let's suppose a >10mb file opened in notepad causes a buffer overflow and somehow the instruction pointer is set to a location inside that buffer. Somebody could create a maliciously crafted text file which contains shell code at that location inside the text file. You download the text from the internet, put it in notepad and then the malicious program author can execute his code in your environment with the execution rights of the notepad instance you used to open the file.

user94592
  • 67
  • 3
1

Usually, the first step is finding and scanning that which port are open , second one(because here is not for learning hack just talk in general): using some application for finding which program are installed on that computer, then finding the exploits on those application and at the end run a specific script on that, such as buffer over-fellow and get privilege.

another way is changing DNS of router to hijacking the user to updating a software, for example notepad++ use it server for updating itself, when DNS changes to fake address that those address is for malicious user, so he can put malware update instead of true software update,then he can exploit the desktop application and then penetrate to the system.

however there are many ways an situation, but the best attacker is whom that is in the network of victim because the easiest way for finding good information about victim PC is MITM attack.

the best way for protection, is use a firewall at least.

Ali
  • 2,694
  • 1
  • 14
  • 23
  • Thanks for the answer.Is it Nessus, you mentioned by `finding the programs installed on that computer`? I think it listens to open ports, am I wrong? – smttsp May 01 '15 at 19:32
  • @smttsp your welcome ,no some other software in Backtrack Linux. – Ali May 02 '15 at 03:09