One server controlling thousands of client computers. Sound familiar? This statement is often used to describe a botnet. But, as Tom Ptacek and Dave Goldsmith of Matasano Security pointed out in their Black Hat presentation titled “Do Enterprise Management Applications Dream of Electric Sheep?”, the same statement can be used to describe enterprise management applications. These applications are developed to help network and system administrators with the tasks of configuring and managing hundreds or even thousands of client computers from a single server. This is also known as distributed systems management. Unfortunately, many of these enterprise management applications contain common vulnerabilities and weaknesses that were fixed in most other applications long ago.
Due to the fact that these applications usually run on internal networks, many people may think that this isn’t too much of an issue, since they are protected from the big bad Internet by firewalls, IDS, IPS, and so on. But, what about the guy working on the help desk who’s frustrated because he’s working nights for the fifth week in a row? He might take it upon himself to exploit one of these vulnerabilities in a management agent (the management component that runs on the client computers) and he can potentially take over the management server. From there, he can then take over every computer on the network with a management agent that reports back to the server he’s now controlling.
Another potential vector could be a single computer on the network that has a bot installed on it, either through a client-side vulnerability in a Web browser, or a road warrior bringing an infected laptop into the office and connecting to the network. The bot’s controller could then use this infected computer as a springboard to compromise the rest of the internal network. As described in Wednesday's presentation, many of the vulnerabilities in these enterprise management applications were common in other applications’ implementations of the HTTP, FTP, and CIFS protocols years ago. This means that there are reliable, working exploits for similar flaws that could potentially be modified to work against some enterprise management applications. And, since these applications and their corresponding agent components run with high privilege levels, any successful exploit would grant the attacker full control over the system.