How to tap the RPC vulnerability, Part 1-the vulnerability warning-the black bar safety net

ID MYHACK58:62201892331
Type myhack58
Reporter 佚名
Modified 2018-12-10T00:00:00


One, Foreword 2018 Year 8 months late, and one researcher(SandboxEscaper open a Windows local privilege escalation 0day vulnerabilities. On the Internet public after less than two weeks time, the vulnerability has already been malware attacks by using reference ESET articles published in. This thing in the InfoSec community caused a certain degree of chaos, also caused the FortiGuard Labs alert. FortiGuard Labs believes that understanding this type of attack principle is very important, you can help other researchers to dig out similar SandboxEscaper in the Windows Task Scheduler the Windows Task Scheduler find the vulnerability. In this article, we will share with you how to abuse the RPC server on symbolic link to elevated permissions. It turns out that Windows Task Scheduler through the RPC server is open to the public in an RPC(Remote Procedure Call, remote procedure call API, the presence of vulnerability. In Windows, most RPC servers are hosted in the local system permissions to run the system processes, the low privileges of the RPC client with the RPC server to interact. With other software, these the RPC server is also the possible presence of vulnerabilities, such as denial of Service, memory corruption, logic errors, and so on. In other words, the attacker can use the RPC server in the presence of any vulnerability to an attack. This 0day vulnerability is so popular, one reason is that the underlying exploit is very simple. This is a program logic error vulnerability, just use the right tools and techniques it is relatively easy to find. Attackers often use fake symbolic links symbolic link to the use of such privilege escalation vulnerabilities, unauthorized to a certain file or directory, so that it can let ordinary users elevated permissions. If everyone on this aspect of the content of interest, from the Google Project Zero's James Forshaw share on the symbolic link attacks a variety of resources, everyone can be used as a reference.

Second, the RPC server runtime and static analysis Into a new area of research, in their development tools before, it is best to look online if there's already a open source tool. Fortunately, the Microsoft RPC Protocol is very well known, in the past ten years there have been researchers in this area have made many excellent reverse analysis of the work. Researchers can use RpcView this open source tool, this tool is very convenient, can be identified on Windows systems running the RPC service. This is my favorite of the RPC tool has various powerful features such as search RPC interface UUID Universal Unique Identifier, the RPC interface name, and so on. However, our purpose is to move all the RPC information to decompile and export to a text file, the tool does not meet our requirements. Fortunately, after reading the source code, we found that tool developers have integrated our desired functionality, but by default the feature is not enabled, only in debug mode using a command-line parameter trigger. In this limiting condition, we choose the existing DecompileAllInterfaces function integrated into the RpcView the GUI. If you want to use this feature, you can visit our Github page to download our custom RpcView tool. Below you can see the“decompile all of the interface”this function benefits. ! Figure 1. RpcView decompile all interfaces When analyzing the RPC server's behavior, we will always through the RPC interface call to the server to provide external API. We can, through RPC the client sends the server A RPC request, the RPC interaction, and then use SysInternals ' in the Process Monitor Tool to observe the server's behavior. In my opinion, the most convenient approach is to write the script, rather than developing C/C++ RPC client, because the former does not require code compilation process, the comparison of time savings. We choose to use PythonForWindows this library. This library can help us with Python's way to abstract processing Windows function, but need to rely on Python's ctypes library. This library also contains some RPC libraries, which provides some convenient wrapper functions, you can save us to develop an RPC client of the time. For example, a typical RPC client program needs to define the Interface Definition Language, and we need to manually implement the binding operation, this process usually needs to involve some C++code. From the following two pieces of code, we can clearly see in the realization of the RPC client side scripting language and a programming language the difference between: the import sys import ctypes import windows. rpc import windows. generated_def as gdef from windows. rpc import ndr StorSvc_UUID = r"BE7F785E-0E3A-4AB7-91DE-7E46E443BE29" class SvcSetStorageSettingsParameters(ndr. NdrParameters): MEMBERS = [ndr. NdrShort, ndr. NdrLong, ndr. NdrShort, ndr. NdrLong] def SvcSetStorageSettings(): print "[+] Connecting...." client = windows. rpc. find_alpc_endpoint_and_connect(StorSvc_UUID, (0,0)) print "[+] Binding...." iid = client. bind(StorSvc_UUID, (0,0)) params = SvcSetStorageSettingsParameters. pack([0, 1, 2, 0x77]) print "[+] Calling SvcSetStorageSettings" result = client. call(iid, 0xb, params) if len(str(result)) > 0: print " [] Call executed successfully!" stream = ndr. NdrStream(result) res = ndr. NdrLong. unpack(stream) if res == 0: print "[] Success" else: print "[] Failed" if name == "main": SvcSetStorageSettings() Code 1. Use PythonForWindows RPC Client developed SvcSetStorageSettings RPC_STATUS CreateBindingHandle(RPC_BINDING_HANDLE binding_handle) { RPC_STATUS status; RPC_BINDING_HANDLE v5; RPC_SECURITY_QOS SecurityQOS = {}; RPC_WSTR StringBinding = nullptr; RPC_BINDING_HANDLE Binding; StringBinding = 0; Binding = 0; status = RpcStringBindingComposeW(L"BE7F785E-0E3A-4AB7-91DE-7E46E443BE29", L"ncalrpc", nullptr, nullptr, nullptr,&StringBinding;); if (status == RPC_S_OK) { status = RpcBindingFromStringBindingW(StringBinding, &Binding;); RpcStringFreeW(&StringBinding;); if (! status) { SecurityQOS. Version = 1; SecurityQOS. ImpersonationType = RPC_C_IMP_LEVEL_IMPERSONATE; SecurityQOS. Capabilities = RPC_C_QOS_CAPABILITIES_DEFAULT; SecurityQOS. IdentityTracking = RPC_C_QOS_IDENTITY_STATIC; status = RpcBindingSetAuthInfoExW(Binding, 0, 6u, 0xAu, 0, 0, (RPC_SECURITY_QOS*)&SecurityQOS;);

[1] [2] [3] [4] [5] next