Information Security
appsec exploit audit vulnerability code-review
Updated Wed, 20 Jul 2022 13:54:55 GMT

Exploiting a desktop application


I'm studying application security and now I have a question which I couldn't find a good answer.

Assume I have a vulnerable desktop application in my virus-free windows 7 PC. Let's say when the file size > 10 MB, it causes to an exception in notepad.(just an assumption, you might suggest another scenario). Who is the potential attacker and how is s/he going to hack it? I mean will he attack over the Internet somehow or will some virus use notepad for privilege escalation or something else? What are the possible attack scenarios? Whom should I save the PC from?

Solution

Whom should I save the pc from?

If the desktop application is not listening on a port, it means if there is a potential vulnerability, it can only be exploited locally. The attacker might have exploited another vulnerability and now looking for privilege escalation or persistence. Don't always assume a vulnerable desktop application would result in privilege escalation though. It depends on the vulnerability itself. For example, if the application is running with standard user privileges, even if the attacker exploits it in some way (e.g. buffer overflow, arbitrary file access etc), it won't normally result in privilege escalation. If the application is running with administrative or more privileges, then any vulnerability in the application would result in attacker gaining the same privileges the application is running with.

Comments (5)

  • +0 – Most non-corporate desktops (and many corporate ones) are run by a single user, and the attacker might not need administrative privileges to monetize their attack. Scraping your files is already very valuable. Besides Linux and OSX users, and all the users who disable UAC, are unprotected from keyloggers, "replacement" rogue apps, etc. and there probably are ways even with UAC to leave some code running behind (possibly as simple as leaving the app running as a daemon and changing its config files to re-exploit it on start up). — May 01, 2015 at 21:22  
  • +0 – @SteveDL You are absolutely right. Gaining administrative or system (even DA) privilege is no more the goal of any attacker. The objective is only to gain access to the data and that can be achieved easily. There are also additional indirect attack surfaces as well (e.g. hard coded credentials in the exe which works on other machines etc). OP asked from whom he needs to to protect the application and the simple answer is the user no matter what their intent. Thanks for your valuable input. — May 02, 2015 at 07:43  
  • +0 – I feel we're misunderstanding each other. I did not mean that as a sysadmin, OP should only protect the system from its users. What does that even mean, forbid access to the machine? Evidently if the apps are installed and used it's because the users might need them to be productive, hence the solution cannot be to get in their way. Look up discovery.ucl.ac.uk/20247 and discovery.ucl.ac.uk/1424472. A less disruptive solution could be to isolate risky apps from one another and/or to isolate sensitive documents and make them accessible on a per-need basis. — May 02, 2015 at 11:58  
  • +0 – Also, I forgot discovery.ucl.ac.uk/1426546 which explains why users won't comply if you treat them as enemies. — May 02, 2015 at 12:02  
  • +0 – By protection I didn't mean to lock it. Protection means to make sure the application is only used in an intended way. Whatever protection we put in place in an application such as protection against bof, authentication, authorization etc, it is for both legitimate as well as malicious users. Protection should always be independent of the particular set of users due to the fact that the same users can perform malicious tasks as well. That is why I said protect (from malicious usage) the desktop application from everyone. Hope it is clear now. — May 02, 2015 at 14:01  

References