Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

BSides Iowa 2018: Windows COM: Red vs Blue

364 vues

Publié le

Presentation at BSides Iowa 2018 discussing the background of Windows COM, red team value of Windows COM, and how blue teams can also use this knowledge.

Publié dans : Technologie
  • Identifiez-vous pour voir les commentaires

  • Soyez le premier à aimer ceci

BSides Iowa 2018: Windows COM: Red vs Blue

  1. 1. BSIDES IOWA 2018 ANDREW FREEBORN WINDOWS COM:
 RED VS BLUE
  2. 2. NEW PHONE; WHO DIS ▸IT Internal Audit Manager, Red Team at ACI Worldwide ▸Previously: Red Team, Pen Tester, IT ▸@maendarb ▸https://vivirytech.blogspot.com ▸There will be pictures, minimal C++
  3. 3. AGENDA ▸COM background ▸Red: COM exploitation ▸Blue: COM defense
  4. 4. SURPRISE, C++ https://blogs.msdn.microsoft.com/oldnewthing/20040205-00/?p=40733
  5. 5. WHAT’S THIS WINDOWS COM THING? ▸ Stands for “Component Object Model” ▸ Designed in the 90s to be interoperable, portable ▸ It’s old; great books aren’t digital ▸ Not a “Shell” like CMD or PowerShell ▸ “Like” .NET and WMI ▸ Why am I so interested in this?
  6. 6. WHAT’S THIS WINDOWS COM THING? RULE #1: WE DON’T SPEAK ABOUT COM ▸ Used everywhere in Windows ▸ When a user copies files, embeds Excel within Word ▸ It’s abstracted away with GUIs, .Net, APIs, and no one acknowledges that COM objects are being used
  7. 7. COM BACKGROUND: COM LIVES EVERYWHERE ▸ Obligatory COM history ▸ Precursor to .NET ▸ Meant to solve problems with developers like DLLs ▸ There’s so many COM objects and won’t go away ▸ OLE and ActiveX fit in here ▸ OLE (Object Linking and Embedding) lets you embed things (e.g. Excel sheet inside Word) ▸ ActiveX lets Internet Explorer make bad life choices
  8. 8. COM BACKGROUND: COM ON PAPER IS SUPER EASY TO WORK WITH ▸ Access COM things thru interfaces and objects ▸ Scripting.FileSystemObject ▸ IPersist ▸ IFileOperation ▸ WScript.Shell http://compinfopro.com/enable-remote-desktop-enable-rdp/
  9. 9. COM BACKGROUND: COM MAKES YOU WORK FOR IT ▸ COM is a hot mess
  10. 10. COM BACKGROUND: ITS LIKE COM MAKES UP THE RULES AS IT GOES ALONG ▸ COM is a hot mess and can live in: ▸ Windows Registry ▸ Windows made a special registry hive ▸ HKCR (HKEY_Classes_Root) ▸ Combines HKLM and HKCU ▸ Threading / InProcServer32
 ▸ Manifest files (COM scriptlets; Registration free too!)
  11. 11. COM BACKGROUND: COM MAKES YOU WORK FOR IT ▸ WScript.Shell demo
  12. 12. COM BACKGROUND: COM+ ZeroSum tweeted about a COM+ scriptlet, but how would you know it’s COM+ and not COM?
  13. 13. COM BACKGROUND: COM+ SCRIPTLET? (MOST LIKELY IT WAS JUST COM) ▸ Scriptlets come in both COM and COM+ flavors ▸ They allow you to have COM scripts to do non- malicious things like open calculator and cmd shells ▸ Did you know you can create COM objects from a Java class? Good thing no one has a JRE installed. https://msdn.microsoft.com/en-us/library/ms524620(v=vs.90).aspx
  14. 14. HAX: REGSVR32 /S /N /U /I:BACKDOOR-MINIMALIST.SCT SCROBJ.DLL ▸ subTee example: COM manifest file ▸ Demo! https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302
  15. 15. COM BACKGROUND: BREAKING DOWN THAT REGSVR32 HAX ▸ regsvr32 is used to register many things in the registry ▸ /s runs it silently, /n says to not call DllRegisterServer ▸ /u specifies which COM server to uninstall ▸ /i calls DllInstall of the COM object to register ▸ Can be pointed to a file on your system ▸ Can be a URL (http: COM moniker) ▸ Could even be a Java class (java: COM moniker) ▸ scrobj.dll makes the magic go http://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
  16. 16. COM BACKGROUND: COM+ ▸ COM+ meant to solve the problems in COM like: ▸ Quickly implement common configurations for COM components like security boundaries ▸ Load DLLs into processes on demand ▸ Managed methods to manage COM components ▸ Multi-pass… err.. threading ▸ Slick GUI https://msdn.microsoft.com/en-us/library/windows/desktop/ms683512(v=vs.85).aspx
  17. 17. COM BACKGROUND: COM+ ▸ COM+ also came with rad icons in the GUI ▸ Demo! https://msdn.microsoft.com/en-us/library/windows/desktop/ms683512(v=vs.85).aspx
  18. 18. COM BACKGROUND: DCOM ▸ DCOM is “Distributed COM” ▸ “Helps you” in COM and COM+ with distributed transactions ▸ Slings COM object data typically with RPC ▸ Likes to make assumptions you know what you’re doing with security and marshaling data ▸ James Forshaw and Matt Nelson have been finding problems with Windows and apps marshaling data ▸ DCOM lateral movement script (enigma0x3)
 https://github.com/rvrsh3ll/Misc-Powershell-Scripts/ blob/master/Invoke-DCOM.ps1
  19. 19. COM BACKGROUND: .NET TO COM (BECAUSE LEGACY APPS AND SADNESS) ▸ .NET can work with COM for interoperability ▸ “The Runtime Callable Wrapper (RCW) is a mechanism that promotes transparent communication between COM and the managed programming model.” https://msdn.microsoft.com/en-us/library/office/bb610378.aspx
  20. 20. COM BACKGROUND: BREAKING DOWN THAT SWEET RCW GOODNESS ▸ This is what PowerShell uses to call into COM objects https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/ ComInterop/ComObject.cs
  21. 21. COM BACKGROUND: COM TO .NET (BUT WHY WOULD YOU DO THIS) ▸ COM can work with .Net thru COM Callable Wrappers ▸ “When a COM client calls a .NET object, the common language runtime creates the managed object and a COM callable wrapper (CCW) for the object. Unable to reference a .NET object directly, COM clients use the CCW as a proxy for the managed object.” https://msdn.microsoft.com/en-us/library/f07c8z1c(v=vs.85).aspx
  22. 22. COM BACKGROUND: DEEP TECHNICAL DETAIL OF THAT MAGIC ▸ James Forshaw talked about .Net and COM interoperability at DerbyCon 2017 ▸ IronGeek Link: ig2.me/pZ
  23. 23. COM BACKGROUND: THE DEEPER YOU GO, THE MORE C/C++ YOU’LL KNOW ▸ To dig in more, you’re going to have to know C, C++ https://blogs.msdn.microsoft.com/oldnewthing/20040205-00/?p=40733
  24. 24. COM EXPLOITATION: KNOWING THE C++ STORY CAN BE HELPFUL ▸ QueryInterface is how you query… for interfaces ▸ This is how you figure out what interfaces are available to you ▸ AddRef / Release may be important to you eventually ▸ Important if you want to partake in bug bounties :) ▸ This dictates the object lifetime by reference count ▸ Abusing the reference count introduces other avenues of attack (cough Use After Free) ▸ If open redirects are still around, we should fix those first
 https://blog.zsec.uk/cve-2017-3528/
  25. 25. COM EXPLOITATION: USE AFTER FREE HAS ALWAYS BEEN AN ISSUE ▸ Raymond Chen talked about this in 2004
 
 
 ▸ Exploit DB has stuff on AddRef being misused https://blogs.msdn.microsoft.com/oldnewthing/20040406-00/?p=39903 https://www.exploit-db.com/exploits/41042/
  26. 26. COM EXPLOITATION: COM, THE NEVER-ENDING STRUGGLE BUS ▸ Microsoft is still fixing COM related issues ▸ CVE-2018-0880/0882 ; Forshaw - A Bridge Too Far ▸ Researched by Haifei Li, Mark Dowd, James Forshaw ▸ Links posted on https://vivirytech.blogspot.com ▸ COM has a reoccurring theme at conferences forgotten/“rediscovered”, but still broke (lulz) ▸ Kinda like Adobe issues, right?
  27. 27. COM EXPLOITATION: WHAT ARE FUN WAYS COM HAS BEEN EXPLOITED? ▸ How is COM exploited? ▸ UACMe
 
 ▸ James Forshaw
 
 ▸ Casey Smith
 
 ▸ Matt Nelson
  28. 28. COM EXPLOITATION: WHAT TOOLS CAN I USE TO LEARN MORE? ALL FREE! ▸ Microsoft Process Explorer ▸ Find medium to high integrity attack paths ▸ ReactOS ▸ James Forshaw OleViewDotNet (github.com/tyranid/oleviewdotnet) ▸ See the COM goodies in Windows ▸ Find new unexplored attack COM paths!
  29. 29. WINDOWS COM, MICROSOFT’S GIFT TO THE RED TEAM ▸ Holy attack surface Batman! Thanks OleViewDotNet! ▸ 3,592 ways to see if you can discover a new attack path
  30. 30. WHAT HAPPENS WHEN I PRESS THIS BUTTON? ▸ Hey kid, wanna crash something? (this can peg your CPU) ▸ Watch with Process Monitor for potential attack paths
 https://github.com/FuzzySecurity/DefCon25 fondue.exe may be a privilege escalation path
  31. 31. WE NEED THE BLUE TEAM, AND THEY NEED US ▸ There’s a lot of fun things that leverage COM ▸ ZeroSum’s Koadic: COM C&C ▸ MITRE’s ATT&CK framework ▸ @SubTee tweets (seriously) ▸ We need to use their research to our gain ▸ Run things like Squiblydoo to see EDR response ▸ Work with the product groups and blue team ▸ See how these products trigger IOCs and act
  32. 32. BLUE TEAM FUN! ▸ Are you running Windows 10 RS4 / Windows Server 2016? ▸ SpecterOps Device Guard configs / guide ▸ Are you doing PowerShell cmdline audit AND reviewing? ▸ Users probably don’t run PowerShell, if they do, use v5+ ▸ Pick up on keywords like, “-COMObject” ▸ Do you really need wscript and cscript enabled? ▸ It can be done, ask @fpieces, he’s done it ▸ Deters attacks leveraging DotNetToJScript ▸ Investigate the potential of SysMon and Project VAST
  33. 33. ITS ALMOST TIME TO GO, LETS REVIEW QUICKLY ▸ COM is everywhere as it was ~20 years ago ▸ Lots of things not covered like “TreatAs” and monikers ▸ Many “exploits” are just abusing design decisions ▸ More research and community made tools will (most likely) bring to light more COM exploits and wreckage ▸ Other organizations also add their own COM objects ▸ Sad face:
  34. 34. LEARN MORE AND CONTACT ME BELOW ▸ For more info about COM: ▸ https://vivirytech.blogspot.com ▸ @maendarb ▸ Slack: https://omasec.herokuapp.com

×