How to tap the RPC vulnerability, Part 2-the vulnerability warning-the black bar safety net

One, Foreword
In a previous article, translation, and FortiGuard Labs to share with you how to use the RPCView to find the RPC server in the logical loopholes, the final we in the Microsoft Universal Telemetry service found a potential problem.
As you may remember, in the previous article we discussed how to RPCView looking for input argument is a string of the RPC API. However, the use of RPCView when there are some restrictions, such as RPCView not be displayed Windows does not by default automatically start RPC services such as Data Sharing Service to. Before we cannot recognize this service, and now we can use another method to identify the services below will. After analysis we found that this service also exists some privilege escalation issues, while using our enhanced version of the method can be found to these problems.
Google security researcher James Forshaw of final feedback 4 security vulnerabilities, the MSRC has been in the last 12 months to fix these vulnerabilities. In addition, although the RPCView very useful, but using them is also relatively time-consuming, we need item-by-item review to receive the string parameter to all API. Therefore, we hope that we can find to save time the other way.
We first analyze the prior to the discovery of some bugs, these bugs are very similar, all have one thing in common: these services will call the SetNamedSecurityInfo this Windows API, the API allows the application program by the name of the object in the specified object’s security descriptor to set the specified security information. For example, if the operation target is a file object, then the application can specify the file name.
Here we want to emphasize that this is Windows API and there is no presence of any security issues, however, when we use our own developed a Static Analysis tool to search for an RPC service, can the API as a filter to use. Knowing this, we created a simple tool that can be statically resolved all of the RPC service program, look for interested the Windows API, and further reduce the need for in-depth study of the RPC service range.
After analysis, we found that some of the more interesting of the RPC service. For example, Storage Service, also known as StorSvc the service prior to the existence of not yet discovered multiple privilege escalation issues; there are AppX Deployment Server, the service there may be a race condition issues, and ultimately lead to elevation of privileges. FortiGuard Labs then to the Microsoft Security Response Center MSRC feedback these vulnerabilities, Microsoft is repairing these vulnerabilities, the corresponding number for CVE-2019-0569 and CVE-2019-0766。
Next we will share with you our discovery of these vulnerabilities specific process.
[+] Target: appidsvc.dll
[] Is the RPC server file
[] Potential DLL with arbitrary DACL modification: appidsvc.dll
[+] Target: AppVEntSubsystemController.dll
[] Is the RPC server file
[] Potential executable arbitrary deletion: AppVEntSubsystemController.dll
[+] Target: AppXDeploymentServer.dll
[] Is the RPC server file
[] Potential executable arbitrary deletion: AppXDeploymentServer.dll
[] Potential DLL with arbitrary deletion: AppXDeploymentServer.dll
[] Potential executable with arbitrary file modification with move: AppXDeploymentServer.dll
[] Potential DLL with arbitrary DACL modification: AppXDeploymentServer.dll
[+] Target: bdesvc.dll
[] Is the RPC server file
[] Potential executable arbitrary deletion: bdesvc.dll
[+] Target: bisrv.dll
[] Is the RPC server file
[] Potential DLL with arbitrary DACL modification: bisrv.dll
[+] Target: combase.dll
[] Is the RPC server file
[] Potential DLL with arbitrary deletion: combase.dll
[] Potential executable arbitrary deletion: combase.dll
[+] Target: cryptcatsvc.dll
[] Is the RPC server file
[] Potential executable arbitrary deletion: cryptcatsvc.dll
[] Potential executable with arbitrary file modification with move: cryptcatsvc.dll
[+] Target: cryptsvc.dll
[] Is the RPC server file
[] Potential executable arbitrary deletion: cryptsvc.dll
[+] Target: dhcpcore.dll
[] Is the RPC server file
[] Potential executable arbitrary deletion: dhcpcore.dll
[+] Target: dhcpcore6.dll
[] Is the RPC server file
[] Potential executable arbitrary deletion: dhcpcore6.dll
[+] Target: DiagSvc.dll
[] Is the RPC server file
[] Potential executable arbitrary deletion: DiagSvc.dll
[+] Target: diagtrack.dll
[] Is the RPC server file
[] Potential DLL with arbitrary deletion: diagtrack.dll
[] Potential executable arbitrary deletion: diagtrack.dll
[] Potential executable with arbitrary file modification with move: diagtrack.dll
[] Potential DLL with arbitrary DACL modification: diagtrack.dll

[1] [2] [3] [4] [5] [6] [7] [8] next