Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

Three Types of Client-side Exploits

We often hear about vulnerabilities in client software, such as web browsers and email applications, that can be exploited by malicious content. The repeated stories about botnets, infected web sites, and viruses which infect us with malicious documents, movies, and other content have ingrained the concept of an exploitable client in our minds. Unfortunately, client software can also be targeted with attacks from compromised servers accessed by the clients, and some client software actually listens for connections. In this blog entry, we will discuss auditing client software for vulnerabilities and describe the three different types of client-side exploits and how they can impact the risk of your network.

Auditing Client-Side Exploits

The largest misconception I’ve encountered from security auditors who test client-side software is a focus on the operating system or application. Regardless of what scanner or patch management agent is in use, the administrators of such systems only test for items from the operating system manufacturer, such as only looking at Microsoft OS vulnerabilities. Nessus audits hundreds of different manufacturer patches and will readily identify issues in an operating system that were not shipped with the operating system. Major client-side security issues occur in well-known brands, such as Adobe, Firefox, and Apple, but also lesser known and less expected sources, such as McAfee, Symantec, and open source security tools such as Secure Shell.

The solution is to perform a complete patch audit of a scanned system. Nessus has the ability to detect thousands of client-side vulnerabilities in software installed from sources other than the base operating system. In lieu of performing a full patch audit, passive network monitoring with the Passive Vulnerability Scanner will identify client vulnerabilities based on DNS lookups, web queries, dedicated client protocols, and analysis of unencrypted conversations over FTP, SMTP, IMAP, SMB, and many others.

Type 1 - Traditional Client-side Exploits

There has been a lot of coverage of client-side exploits being used to create botnets and target specific organizations via a combination of social engineering and content with malicious payloads. These exploits target browsers, browser plugins, and email clients. Today, there is a fine line between email and web applications since many email applications share libraries when viewing emails that have been formatted with HTML content. We won’t spend any more time on this type of client-side exploit since this is the most commonly known type.

Type 2 – Clients with Exposed Services

Many types of client software will actually open up a socket and run a service that communicates on the network. From the perspective of a penetration tester or a vulnerability scanner, it really doesn’t make any difference if a piece of software is acting as a client for a user or if it is focused on serving data. If it has a socket open on the network and connections can be made to it, it may be exploitable. If the host is directly connected to the Internet or to mobile broadband networks and it does not have a firewall, it may be attacked directly without any need for user interaction such as opening an email.

When a Nessus vulnerability scan is configured without credentials, by default, Nessus will conduct scans for all vulnerable services, be they from traditional servers or services opened by client software. Within Nessus 5, this can be refined further within your scan policy by adding a filter for a “plugin type” of “remote” as compared to a credentialed “local” check. Combinations can be further added to target specific classes of software. For example, in the screen shot below, I created a filter to select plugins that identify vulnerable iTunes software with remote Nessus checks.


Type 3 – Clients Exposed to Hostile Servers

This type of client exploit may seem very similar to our first type, but the differentiation is that the server isn’t hosting hostile data –- the server itself can be manipulated to attack a client directly.

A classic example is CVE-2005-0467, which identifies a vulnerability in the PuTTY SSH and SCP clients that can be exploited by a malicious SSH server to execute code on connecting host. An example Nessus plugin that detects this is the credentialed Gentoo local check plugin.

Vulnerabilities like this can be used to hop through firewalls in a much more direct manner than by attempting to compromise an administrator’s system with some sort of Internet-based social engineering exploit. For example, let’s say you have a host in a DMZ which can be compromised from the Internet or Intranet, yet all administration to this system is performed through a one-way firewall. If the administrative access to the DMZ systems is allowed from an internal network and there is vulnerable client software in use, a DMZ server under control of an attacker could modify the service to conduct attacks against the client.

I’ve highlighted some example vulnerabilities detected by Nessus that could be used to run code from a maliciously controlled server:

Code execution in FTP clients:
21565 FileZilla FTP Client Unspecified Overflow

Code execution in SSH clients:
37021 FreeBSD : putty -- buffer overflow vulnerability in ssh2 support (19518d22-2d05-11d9-8943-0050fc56d258)

Code execution in SNMP clients:
38099 USN-685-1 : net-snmp vulnerabilities

Code execution in web clients:
49102 USN-982-1 : wget vulnerability
45133 Firefox < 3.6.2 Multiple Vulnerabilities
51162 MS10-090: Cumulative Security Update for Internet Explorer (2416400)

Tenable customers who use the Passive Vulnerability Scanner and SecurityCenter can leverage the trust relationships found through network analysis in order to identify all of the client IP addresses from which a server might accept connections. For example, in the screen shot below, I’ve added a view of a SecurityCenter Detailed Vulnerability Report about a trust relationship between and on port 22.


In this case, is the server and has been observed to receive connections from on port 22. This information is useful to SecurityCenter users because it can be used to create a dynamic asset list of all clients that access This information is called a Dynamic Asset List. Lists such as this can be used within SecurityCenter to create dashboards, alerts, and reports about any type of security issues with clients that have access to sensitive servers.


The three types of client-side exploits described here can be detected with credentialed Nessus auditing, some uncredentialed Nessus scans, and by monitoring traffic in real time with the Passive Vulnerability Scanner. If you can’t patch all of your client vulnerabilities in a timely manner and have to perform a risk analysis in order to prioritize, knowing how the client software is used and what type of exploits it may be exposed to can help you rank which issues you need to mitigate first.


Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.