Tools and techniques
One of the most popular ways to compromise a thick client outside of decompiling the binary is to study the traffic to and from the application. Most thick clients use some form of connection back to a database or Web service to get data. The quickest way to see what the application is doing is to sniff the traffic on the wire using a program such as WireShark.
This will reveal the type of connection that is being used and probably the database name and credentials. Using this information, the hacker can try logging directly into the database without using the client, which may reveal more functionality and access than what the client shows. However, sometimes the database password is not revealed because a challenge-response mechanism is used to protect the credentials.
If database credentials aren't observed, hackers typically try to insert themselves in the conversation to see if they can modify any of the data while in transit. The quickest way to get at protected data and functionality is to use the functions built into the client, instead of trying to reverse engineer the client's database queries.
That can be done by escalating user privileges in the application. Thick clients typically support functions for a variety of user levels. However, some of these functions are not enabled for lower-privileged roles. To determine what rights the user has, the application will query the database and then parse the response to determine what functions to allow. If they can insert themselves in the conversation and alter the database's response, they will likely end up with the full set of features enabled on the client.
Modifying the data can be done many ways, but one method that works well is to use a stream editor such as netsed. Netsed looks to match a regular expression in the data stream and replace that value with one the hacker supplies. They will be looking for obvious data points that can be identified in the stream. Items such as user names, account balances, phone numbers, Social Security numbers and others are common targets. They will then configure netsed to look for these items and replace them with other values, and then check the results to see if they were successful. Knowing what success looks like makes the rest of the assessment easier.
To combat this type of attack, many application developers turn to encrypted channels between the application and an intermediary application server for database access. Encryption makes it virtually impossible for the hacker to determine which bits to change.
SSL- and TLS-encrypted connections are the easiest ways to provide this service, but they can be bypassed with a program such as stunnel. In client mode, stunnel will listen for plain-text traffic and then forward it as SSL-encrypted traffic to a new destination. In server mode, stunnel will listen for SSL traffic and then decrypt it before forwarding the plain text.
Using two instances of stunnel -- one in each mode -- allows hackers to insert a 'window' of unencrypted plain-text traffic between the client and server, where they can sniff traffic with WireShark or alter it with netsed.
These, of course, are only brief examples of what to look for. Thick clients are used less frequently in the ever-increasing Web application world, and many companies are paying less attention to legacy applications. This adds up to opportunity for attackers. Protecting these applications by evaluating their weaknesses allows your company to better understand its true risk profile.
Royster (email@example.com) is a senior consultant and Reed (Jason.firstname.lastname@example.org) is a principal consultant at SystemExperts Corp.