How to use. NET managed DCOM to achieve elevation of privilege-vulnerability warning-the black bar safety net

Affect the interoperability of technical vulnerabilities are a class of more interesting security vulnerabilities, this is because these vulnerabilities typically affect the use of the technology is any application, whether the application actually perform what operation. Similarly, in many cases, the developer is difficult without the use of the technology the case of the introduction of mitigation measures, but sometimes it can’t.
I found. NET-Component Object Model COM interoperability layer the presence of such vulnerabilities, which make. NET cross privilege boundaries for the Distributed COM（AGENT）is inherently insecure. This article will describe some of this can be the abuse of the method, the first is to get elevated permissions, and then is a remote code execution vulnerability.
Background knowledge
Review. NET history may know, a lot of its early Foundation is trying to make a better COM version. This allows Microsoft it to focus on Make sure, though. NET itself may not be COM, but it must be able to with COM interop. Therefore, the. NET can be used to implement and use COM objects. For example, not in the COM object to call QueryInterface, you just need the object projected onto the compatible COM interface. In C#implementation-of-process COM server is very simple, as shown below:
! [](/Article/UploadPic/2017-5/20175195140252. png? www. myhack58. com)
The client can now use its CLSID by the COMClass on the Guid attribute defines the connection to the COM server. Actually it’s very simple, because. NET of a large number of core classes are marked as COM-visible and register for any COM client, even if not to. NET written available.
! [](/Article/UploadPic/2017-5/20175195140522. png? www. myhack58. com)
In order to make all this effective. NET runtime to the developers to hide a lot of boilerplate. There are several mechanisms that can affect this model of interoperability code, such as the InterfaceType attribute, which defines the COM interface is derived from IUnknown or IDispatch, but in most cases, what you get is the give.
Developers may not realize is that 不仅是您指定的接口从.NET COM object to export, the runtime will also add some“Management”Interface. These interfaces through the. NET object wrapped in a COM callable wrapper（CCW） ， to achieve.
! [](/Article/UploadPic/2017-5/20175195140548. png? www. myhack58. com)
We can enumerate CCW the exposed interface. To the System. Object, for example, the following table shows the supported interfaces and each interface implementation methods dynamically at runtime to achieve or at runtime inside the static.
! [](/Article/UploadPic/2017-5/20175195140789. png? www. myhack58. com)
_Object interface refers to the System. The Object of the class COM visible representation, which is all. NET object root, which must be dynamically generated, because it depends on being exposed. NET objects. On the other hand, the IManagedObject by the runtime itself to achieve, and achieve in all CCW sharing.
I From the beginning of 2013 attention. NET exposure COM the attack surface, he when I was studying IE sandbox escape. 您可以在沙箱之外访问的COM对象之一是.NET ClickOnce deployment of proxy applications like the original is. NET implementation, this may not be surprising. I actually found two issues, not in applications like itself, 而是在由所有.NET COM objects exposed to the _Object interface. _Object interface is shown below in C++.
! [](/Article/UploadPic/2017-5/20175195140833. png? www. myhack58. com)
The first bug that causes CVE-2014-0257 that the GetType method. The method returns a can be used to access. NET the reflection APIS of the COM object. Since the return of _Type the COM object is the server running, so you can call a series of methods, which can access the Process. Start method, you can call the method to achieve sandbox escape. For more details, please view my written and placed on Github PoC. Microsoft by blocked by DCOM to access the reflection API to solve this problem.
The second problem is more subtle, is. NET interop features probably no one considered the security risks of By-products. Loading. NET runtime requires quite a lot of additional resources, therefore, 对于本机COM客户端调用.NET COM server method, the default is to let the COM and CCW management communication, even if such detrimental to performance. Microsoft can choose to use COM marshaling is forced. NET in the client load, but this seems a bit overdone, not to say the client might not even install a compatible. NET version.
When. NET and COM objects to interact, which creates a reverse CCW–runtime callable wrapper the RCW is. This is the one. NET object that implements the COM interface version of the runtime, and marshaling to the COM object. Now the COM object is entirely possible is actually used. NET write, possibly even in the same application domain. If the. NET inaction may have on performance caused by double impact at RCW group, to invoke a COM object, which is actually a managed object of the CCW.
! [](/Article/UploadPic/2017-5/20175195140334. png? www. myhack58. com)
Try from the CCW“to expand the”managed object and get a real. NET objects is very good. It is this segment of the naughty Ghost trick or treat place, the IManagedObject interface, as shown below:
! [](/Article/UploadPic/2017-5/20175195140686. png? www. myhack58. com)
When. NET runtime to obtain a COM object, it will through a process to determine whether it can be from its CCW“expand”the object, and avoid creating a RCW for. The process is recorded, but all in all, the runtime will perform the following operations:
1. Call the COM object’s QueryInterface to determine whether to implement IManagedObject interface. If not, then return the appropriate RCW’s.
2. Call interface on GetObjectIdentity it. If the GUID with each run of the GUID in the runtime startup to generate match, and the AppDomain ID of the current AppDomain ID match, then the runtime table to find the CCW value, and extract the pointer to the real managed object pointer and returns it.
3. Call interface on GetSerializedBuffer it. Run-time checks. NET whether the object is serializable, if it can, then it will be the object passed to the BinaryFormatter :: Serialize, and the result is Packed into a binary string BSTR. This will be returned to the client, the client will now try to by calling BinaryFormatter :: Deserialize the buffer is deserialized into an object instance.

[1] [2] [3] [4] [5] next