Thick Client Security-Security Features ASLR, DEP & CFG Not Enabled
ASLR(Address space layout randomization) — When ASLR flag is enabled it prevents attacker from reading/exploiting the incorrect address space locations in the memory.
DEP(Data Execution Prevention) — When DEP flag is enabled it Prevents code execution from data-only memory pages such as the heap and stacks. It separates executable and non-executable memory space. When it finds malicious executable data under non-executable memory space, it terminates the execution of malicious code placed by hacker.
CFG(Control Flow Guard) — Generally programs are executed in predefined order flow. If CFG flag is not enabled then attacker can change the program execution flow and make his malicious code execute.
Steps to test
We can check these flags are enabled or not for all DLL’s & EXE files.
Step 1: Use PEsecurity tool. It is a PowerShell based command line tool, Download tool from the link : https://github.com/NetSPI/PESecurity
Step 2: Open powershell as administrator and execute the below command to change execution policy to “unrestricted” which is necessary to run PESecurity tool .
Step 3: Unzip the downloaded tool and open powershell from the same unzipped folder. Import the module with the below command.
Step 4: Now we will check whether ASLR, DEP & CFG flags are enabled or not for any one installed folder of thickclient application which has DLL’s and EXE files. In the below example screenshot ASLR, DEP & CFG flags are not enabled.
command = Get-PESecurity -directory “C:\Program Files (x86)\abcd”
Step 5: We can also use different types of commands based on requirement, for more information go through below the link. https://github.com/NetSPI/PESecurity
Step 6: By using “sysinternals tool” — “Process Explorer” we can check the status of ASLR, DEP & CFG flags for an EXE file but Process explorer can’t be used for DLL files.
Remediation: It is recommended to enable ASLR, DEP and CFG for the application at source code level.
!! Happy Learning !!