Professional Documents
Culture Documents
Us 21 Exploiting Windows COMWinRT Services
Us 21 Exploiting Windows COMWinRT Services
XueFeng Li of Sangfor
Dr. Zhiniang Peng of Sangfor
C:\> whoarewe
- Xuefeng Li
- Zhiniang Peng
Dr. Zhiniang Peng (@edwardzpeng) is the Principal Security Researcher at Sangfor. His
current research areas include applied cryptography, software security and threat
hunting. He has more than 10 years of experience in both offensive and defensive
security and published many research in both academia and industry.
Agenda
1. Basic of COM
5. Conclusion
01
Basic Of COM
What is COM(Component Object Model)?
Provider
Provider
Invoker Provider
COM Object Framework
➢ Thread Safety
For Client
For Server
Process Thread
…
STA0 STA1 STA2 STAN
…
STA: Single Room
MTA: Dormitory
NA: Activity Room
Reference from: “Understanding and Using COM Threading Model”
Thread Models of COM Object
• Both Thread Model (Both, support the STA,MTA,NA apartments)There may be thread safety issues
https://docs.microsoft.com/en-us/windows/win32/cossdk/threading-model-attribute
Thread Models and Apartment Models
• Method calls to COM objects in the same apartment are made directly.
• Method calls made across apartments are achieved via marshalling.
process
COM Runtime
…
Worker Threads STA0
Queue
STA 0~N
Listen Thread
Create
Create Dispatch message
COM Object
…
Worker Threads
MTA NA
…
Worker Threads
DCOM Activator
RPCSS
Runtime Broker
Runtime Broker
Crash
CVE-2020-1404 - Exploitation All the HSTRING need to be large enough to avoid LFH
Free HSTRING 2
GAP GAP
rewrite
Buffer Pointer Arbitrary Address
Real Buffer
☹ Hard to Exploit such Race Condition UAF bugs stably, it’s easy to cause the crash, but you can keep
trying until you succeed
Win Race Condition to get Out-Of-Bound Writing
ISearchRoot->put_Schedule copies
user-controlled buffer into ISearchRoot
Object.
Call ISearchRoot->put_Schedule in
the time window between the upper
and lower codes to rewrite buffer
Pointer size
Vulnerable function
CVE-2020-1011 - Root Cause Analysis
Custom implementation
Fake vftable
Require a Info leak for exploitation(x64 system)
✗ Heap spray
✓ Info leak
⚫ Require a Info leak bug to leak where our fake objects locates
04
From Out-Of-Bound Writing to Arbitrary Reading/Writing
object1
[…] […]
[…] […]
Forge Fake vftable to Get Code Execution
QueryInterface
Using Write-What-Where
IWalletCustomProperty vftable to forge a fake vftable Addref
[…] Release
[…] dxgi.dll!
ATL::CComObject<CDXGIAdapter>
Fake vftable ::`vector deleting
destructor'
Fake Contents
IWalletCustomProperty vftable
dxgi.dll!ATL::CComObject<CDXGIAdapter>::`vector deleting destructor’
will call LoadLibraryEx and take a global pointer as the Dll path
[…] which could allow us to load arbitrary dll.
[…]
https://googleprojectzero.blogspot.com/2018/11/injecting-code-into-windows-protected.html
Abusing CRemoteUnknown::DoCallback to get RIP control
Server Secret
Abusing CRemoteUnknown::DoCallback to get RIP control
Critical Corpus for exploitation:
➢ What we have:
➢ What we need:
Flags Reference
Return OBJREF buffer
Parsing OBJREF buffer Object Exporter ID (OXID)
Get IUnknown object
proxy Object ID (OID)
Binding information
Getting a IRundown object proxy from local server
Object address
Object IPID
Object IID
Point pCallbackData->pParam to user-controllable string
CoMarshalInterface
Compare IPID
⚫ COM/WinRT still has a large attack surface for LPE bugs hunting.
Q&A
Any Questions?