I have always been fascinated by fat client applications and I believe this goes back almost 20 years ago to when I was a teenager with a computer and a passion to learn, and I still am, passionate to learn 🙂
My start was with HTML and Assembly, an odd combination I admit, but that is how it has started. Learning to code in Assembly taught me patience and above all opened a door to reverse engineering Win32 applications. I did it for years, regretfully not professionally, because that was not a “thing” back then, and still not, especially where I come from. So nowadays when I see a fat client application in an engagement (penetration testing project or red teaming) I wonder, I always wonder if it can be hacked.
Magnificent fat client applications and where to find them!
In a recent blog post (EN) published on my employer’s website I talk about client applications. At the beginning the blog post explains what fat client applications are. Then, I point out from my point of view when to conduct a security analysis of client application and suggest how to prioritize which client applications to test first. Finally, I give a short overview how a security analysis of client applications works.
The blog post is not technical and intended for the C-Level. I hope it can be helpful to someone in making a decision.
In my blog post I make a statement:
Unternehmen jeder Größe können betroffen sein (Companies of all sizes can be affected)
No matter how big your company is, how many professionals are on your security budget, some day, at some point, something will fly under the radar and into production. Remember the definition of an upgrade: take old bugs out, put new ones in.
Meet IBM Spectrum Protect (a.k.a. Tivoli Storage Manager)
It is a data protection platform that gives enterprises a single point of control and administration for backup and recovery. It enables backups and recovery for virtual, physical and cloud environments of all sizes[1].
Versions 8.1.0.0 – 8.1.11.0 of the application are vulnerable to a classical vulnerability: a permissive file system permission (CWE-732) that allows low-privileged users to escalate their privileges to SYSTEM on Windows under certain circumstances.
The vulnerability was assigned the CVE-ID CVE-2021-20532. IBM acknowledged my report and a fix was ready within two months time of the initial report.
TL;DR
Moral of the story is that, although such application has definitely gone through testing and scrutiny of the public, a classical vulnerability has still managed to slip through.
Disclosure Timeline
| 09.02.2021 | Initial notification per email (psirt@us.ibm.com) |
| 12.02.2021 | IBM PSIRT: Initial confirmation of receipt |
| 05.03.2021 | IBM PSIRT: Cannot reproduce. Request for additional information |
| 08.03.2021 | Additional information and PoC-video provided |
| 09.03.2021 | IBM PSIRT: Confirm receipt of information |
| 20.04.2021 | IBM PSIRT: Vulnerability confirmed |
| 23.04.2021 | Initial publication: https://www.ibm.com/support/pages/node/6445503 |
Upcoming
Stay tuned for another blog post!
I will be talking about another fat client application used in a VDI base (golden)-image.
The vulnerability allows an attacker in the network to take over hundreds of VDI hosts remotely and gain SYSTEM privileges on the domain-joined machines before you can say PWNED.
Operator Accounts with Domain Administrator privileges were even nice enough to remotely logon to disable the vulnerable Windows service after reporting it, and they did it on machines where I have already escalated my privileges to SYSTEM… but hey, it was only a matter of time 😈
