Penetration tests you Don't know: Attack and Defense of application Virtualization

Penetration tests you Don't know: Attack and Defense of application Virtualization

Web penetration testing is familiar to everyone, but penetration testing for application virtualization may be rarely used by everyone, and there is no relevant information on the Internet. As a cutting-edge attack and defense team, this technical topic will introduce the related attack and defense technologies for the application of virtualization technology based on past project experience.

First, we will introduce what is application virtualization. In fact, application virtualization refers to the application/server computing A/S architecture, using technologies similar to virtual terminals, isolate the application's human-computer interaction logic (application interface, keyboard and mouse operations, etc.) from the computing logic. The server opens an independent session space for users, the computing logic of the application runs in this session space. The changed human-computer interaction logic is transmitted to the client and displayed on the corresponding device of the client. The common saying is "thin terminal ".

Currently, the mainstream manufacturers include Ctrix and VMWare. The following is an example of Ctrix application Virtualization:

Through this application virtualization technology, enterprises can improve the efficiency and efficiency of employees' office work. For office staff, they can achieve office anytime, anywhere, improving the convenience, it is a benefit of both parties. However, the more convenient it is, the higher its vulnerability is. In addition, most engineers do not have security experience when deploying this type of application virtualization products, many details of the security issues have not been paid much attention to, TRT encountered in the project process this type of system is basically easy to intrude into successfully.

Attack and Defense is a continuous process. In the process of penetration testing, we must know ourselves, know ourselves, and know each other. It is critical to understand the application system. Therefore, we need to briefly introduce the working mode of application virtualization, take the XenApp of Ctrix as an example:

 

The client accesses the CtrixWeb Interface and selects the application to be opened. For example, the Ctrix Web Interface calls the application server of the data center to open the application, and uses a special protocol, for example, Citrix ICA maps the applications opened by the application server to the user's client. All operations on an application are performed in the data center. You can use the application even if it is not installed.
 

 

The problem arises. Since the opened application is in the data center, it means that the user is directly operating the server in the data center. If the access control of the application is not complete, it means, attackers can exploit the lack of access control to access unauthorized resources and even directly control the server.

Generally, when deploying application virtualization, administrators are not allowed to directly call CMD, task manager, Group Policy, control panel, registry, browse the C directory, and write files, however, there will always be some negligence. the TRT team summed up a lot of escape skills and selected several items to share with you:

Call BAT and VBS to execute code

Scenario 1:If the Administrator has banned the access to the registration table lists and policies of the task manager, the user's access to the C directory is also disabled at the same time, and the user's permission to execute cmd.exe is restricted. The command cannot be executed by calling CMD.

Breakthrough method:

In general, the Administrator disallows users to browse the C directory, but does not allow users to browse the user's desktop normally (in windows 2008

C: \ USER \ the USER name can also be browsed normally in the folder). Attackers only need to call up the browsing USER desktop, such as IE and Word, to open local files, for example, you can use IE's "view download"-> "options"-> "Browse" to open the resource manager:

 

1. Although browsing and writing restrictions are imposed in multiple places, by default, such as C in WINDWOS 2008: \ USER \ the USER name folder or Desktop Folder has access and write permissions. We can remotely execute code by writing VBS and BAT commands, and then output the execution result to C: \ USER \ The remote code is successfully executed in the USER name folder.

2. Call the macro command to execute the Code:

Scenario 2:In scenario 1, if the administrator disables the directory execution permission, the Directory of the C: \ USER \ login username folder cannot execute commands.

Breakthrough method:

Because the user imposes execution restrictions, we can use the "application" to execute commands for us. Use the above method to open the resource manager, use the remote mounting client hard disk function of Ctrix, open a new Excel file on the local disk, create a macro, and use the macro command shell () function (this function can directly call the cmd command through a macro), as shown in figure

 

Shell "cmd/c ipconfig> c: \ User \ xxx \ file name .txt"

 

If a word, Microsoft Access, or PowerPoint application exists, you can also create a macro and use the shell () function of the macro command (this function can directly call the cmd command through the macro), as shown in

Word:

Access:

Powerpoint:

 

 

Use X-shellExecute system code

Scenario 3:In scenario 1, if the administrator disables the directory execution permission, the Directory of the C: \ USER \ login username folder cannot execute commands.

Breakthrough method:

When browsing the folders of VM instances, some administrators have found that X-SHELL is installed to facilitate management, and then system commands can be executed with the X-SHELL.

By default, the X-SHELL has very limited system commands to execute:

 

The command not found prompt is displayed when you directly run some system commands.

 

However, you can run the system command in the form of a pipe operator, such as ipconfig | net user:

 

The preceding method can be used to execute system commands.

Code execution in developer Mode

Scenario 4:On the premise of scenario 1 and scenario 2, if the user only publishes IE, the directory on the drive C is also restricted, and you are not allowed to jump to any directory, but there is still a way to break through.

Breakthrough method:

Because the current target server's IE is opened, you can use the debugging function of the IE developer tool and the Javascript

Open the command line of the target server and execute the command. To open the command line through IE:

 

 

The above are some of the security problems that we have discovered in different project processes in application virtualization. Only attacks can prevent them. In the process of attack and defense, we pay more attention to defense methods, to deploy application virtualization, we recommend that you not only prohibit users from directly calling CMD, task manager, Group Policy, control panel, registry, browsing the C directory, writing files, and directory execution permissions, the following protection measures are also required:

1. restrict users from using shortcut keys to open the resource manager. 2. In addition to restrictions on cmd.exe, you also need to restrict applications under system32 to prohibit common users from executing applications in this directory, such as systeminfo, ipconfig, netstat, net, net1, copy, xcopy. 3. If the office application software is required, we recommend that you disable the use of macro commands by policy. 4. If the developer tool is not required, we recommend that you use a policy to Disable IE Developer Tools. 5. We recommend that you delete unnecessary third-party applications. 6. The system server promptly updates the patch.