Client-side exploits take advantage of vulnerabilities in client software, such as web browsers, email applications and media players (e.g., Internet Explorer, Firefox, Microsoft Outlook, Microsoft Media Player and RealNetworks' RealPlayer). They can also exploit vulnerabilities in system-wide libraries used by client applications. For example, a vulnerability in an image library that renders JPEG images might be exploitable via a web browser or an email application.
Client-side exploits are not prevented by traditional perimeter defenses, such as firewalls and web proxies. Trends monitored by the SANS Institute (http://www.sans.org) and other industry organizations indicate that client-side vulnerabilities began to offset server-side vulnerabilities in 2005.
A single vulnerability in a workstation's client applications may afford access to more important information assets on the same network. A client-side exploit can therefore leverage any compromised workstation as a launching point for attacks against other workstations or servers otherwise protected by perimeter defenses and accessible only via the internal network.
How Client-side Exploits Work
In contrast to more traditional attacks against network services, client-side attacks are usually delivered via an email or a web page. In cases where a client must visit a hostile web server to be compromised, an email might be sent to lure or force the recipient to visit a special URL. The hostile server would then deliver the exploit as it displays the target web content.
Client-side Exploits and CORE Impact
Like the product's other exploits, all Core Impact client-side exploits are Commercial-Grade and take advantage of important penetration testing features of the product, including:
Effortless pivoting via agents
All Core Impact client-side exploits deploy agents that can be used for pivoting, which allows users to scan or attack other systems on the targeted network. While the initially compromised workstation may not contain important information, pivoting can expose more sensitive assets previously protected by the network's perimeter.
HTTP tunneling for agent communication
Communicating with a compromised system can often be a challenge when exploiting client-side vulnerabilities, as workstations often have limited connectivity to the Internet via NAT or a web proxy. Agents deployed with Core Impact client-side exploits effectively establish communication channels back to the product's interface using HTTP.
Client-side exploits can sometimes leave client software (e.g., a web browser or email client) unresponsive, often prompting the user of the application to restart their workstation. Core Impact client-side exploits allow you to maintain contact with a targeted workstation, even after compromised client software is restarted. Upon gaining workstation access, Core Impact injects an agent into a new process outside of the compromised software. You can therefore continue to gather information about the workstation and pivot attacks to other systems without interruption.
All activities related to client-side exploits, including collected email addresses and exploited vulnerabilities, are stored in Core Impact's database for further inspection and report generation.