filmov
tv
BlueHat 2024: S07: DCOM Research for Everyone!
Показать описание
BlueHat 2024: Session 07: DCOM Research for Everyone! Presented by James Forshaw from Google
Abstract: For almost 10 years I've been writing a tool, OleView.NET to aid in the analysis of Windows' COM attack surface for privilege escalation and remote code execution. What started as a merging of the SDK's OleView and Test Container GUIs it expanded out to an all-purpose security research tool adding support for Windows Runtime classes, security descriptor analysis, process parsing along with a PowerShell interface to augment the GUI.
The final important piece of the tool's functionality, the ability to call arbitrary COM interfaces at runtime without prior knowledge, was missing. This is crucial as it allows a researcher to not only inspect what COM services are registered but directly interact with them. While calling methods on a COM object was always supported for OLE Automation interfaces, for which the .NET Framework has good support, most of the interesting interfaces such as those exposed by privileged services do not just give you the information necessary to call them.
This presentation is about the research and implementation of this feature. It leverages the fact that almost all COM interfaces that can be called across process boundaries have registered proxies that can be analyzed to extract their marshaling information. That can then be used to reimplement a client. Of course, nothing is that simple, I'll describe many of the challenges that had to be overcome during the research and implementation, some of the false starts and some of the interesting security issues that came out of the work. I'll also demo the tooling so that attendees can have an understanding on how to use it for their own research.
Abstract: For almost 10 years I've been writing a tool, OleView.NET to aid in the analysis of Windows' COM attack surface for privilege escalation and remote code execution. What started as a merging of the SDK's OleView and Test Container GUIs it expanded out to an all-purpose security research tool adding support for Windows Runtime classes, security descriptor analysis, process parsing along with a PowerShell interface to augment the GUI.
The final important piece of the tool's functionality, the ability to call arbitrary COM interfaces at runtime without prior knowledge, was missing. This is crucial as it allows a researcher to not only inspect what COM services are registered but directly interact with them. While calling methods on a COM object was always supported for OLE Automation interfaces, for which the .NET Framework has good support, most of the interesting interfaces such as those exposed by privileged services do not just give you the information necessary to call them.
This presentation is about the research and implementation of this feature. It leverages the fact that almost all COM interfaces that can be called across process boundaries have registered proxies that can be analyzed to extract their marshaling information. That can then be used to reimplement a client. Of course, nothing is that simple, I'll describe many of the challenges that had to be overcome during the research and implementation, some of the false starts and some of the interesting security issues that came out of the work. I'll also demo the tooling so that attendees can have an understanding on how to use it for their own research.