The RPC vulnerability mining case studies in under-vulnerability warning-the black bar safety net

In the RPC vulnerability mining case study on a text, we show you how to use the different tools available and online resources in the Windows RPC server found potential security risks Microsoft Universal Telemetry Client vulnerability,。 In addition, we also demonstrated to the RPC server for the reverse compilation of the required basic knowledge. However, we believe that the RPC server there are other potential security vulnerabilities. So, in this article, we will continue to study and improve enhanced Windows RPC server method, in order to find the other RPC server vulnerability.
Foreword
In this blog series in the first part, we discuss our FortiGuard Labs using the method, to use RPCView find the RPC server on the logical vulnerability. Therefore, we found the Microsoft Universal Telemetry services for potential vulnerabilities.
If you carefully read the article, you will know that we are the analysis steps are as follows:

1. First of all RPC interfaces from RpcView the GUI export to a text file, the text file generated can contain from RPC server to call all the RPC API.
2. We from the output text file find to accept the wide character string as input to the RPC API, Until the discovery from the diagtrack. dll is one of the more interesting of the RPC interface.
   However, we the purpose of this article is not all the RPC information to decompile and export to a text file. Fortunately, after reading the source code, we found that already contains our required functionality, but by default it is not enabled, only in debug mode using a specific command line parameter is triggered. Due to this limitation, RPCView（recognition run on the Windows operating system RPC service is a very handy tool, does not display by default on Windows does not automatically start RPC services-such as data sharing services. We will in this article, using some way to identify this service. It turns out that the RPC service also encounter some privilege escalation vulnerabilities we will in the following eleven questions.
   Last 12 months, Google security researcher James Forshaw of use RPCView reported by the MSRC Microsoft Security Response Center to fix four vulnerabilities. Therefore, although the use of RPCView still useful, but it is also very time consuming because you have to literally review all the accepted strings of the API. So we want to find other time-saving methods.
   First, we analyzed a set of previously found a very similar vulnerability. Determine between them have one thing in common, because they are calling SetNamedSecurityInfo the Windows API, the API allows a program by the name of the object in the specified object’s security descriptor to set the specified security information. For example, if the file name is a file object, the program can specify the file name.
   We want to emphasize that, although the Windows API does not pose any security vulnerabilities. However, when we use we write a Static Analysis tool to search we want to view the RPC service, it can be used as a filter. With this knowledge, we can create a simple tool that statically resolves all the RPC service executable file, trying to look interested in the Windows API, in order to reduce our need to further explore the RPC services.
   As expected, we indeed found some interesting RPC service. The infamous storage service, also known as StorSvc that has not previously been other researchers have found multiple elevation of privilege vulnerabilities. In addition there are AppX deployment server, it is vulnerable to may eventually lead to elevated competition conditions. In the end, we will these vulnerability reported to the Microsoft Security Response Center(MSRC), and now they have been repaired and numbered CVE-2019-0569 and CVE-2019-0766 。
   Now, we will discuss how we found these vulnerabilities.
   [+] Target: appidsvc.dll
   [] Is the RPC server file
   [] Potential DLL with arbitrary DACL modification: appidsvc.dll
   [+] Target: AppVEntSubsystemController.dll
   [] Is the RPC server file
   [] Potential executable arbitrary deletion: AppVEntSubsystemController.dll
   [+] Target: AppXDeploymentServer.dll
   [] Is the RPC server file
   [] Potential executable arbitrary deletion: AppXDeploymentServer.dll
   [] Potential DLL with arbitrary deletion: AppXDeploymentServer.dll
   [] Potential executable with arbitrary file modification with move: AppXDeploymentServer.dll
   [] Potential DLL with arbitrary DACL modification: AppXDeploymentServer.dll
   [+] Target: bdesvc.dll
   [] Is the RPC server file
   [] Potential executable arbitrary deletion: bdesvc.dll
   [+] Target: bisrv.dll
   [] Is the RPC server file
   [] Potential DLL with arbitrary DACL modification: bisrv.dll
   [+] Target: combase.dll
   [] Is the RPC server file
   [] Potential DLL with arbitrary deletion: combase.dll
   [] Potential executable arbitrary deletion: combase.dll
   [+] Target: cryptcatsvc.dll
   [] Is the RPC server file
   [] Potential executable arbitrary deletion: cryptcatsvc.dll
   [] Potential executable with arbitrary file modification with move: cryptcatsvc.dll
   [+] Target: cryptsvc.dll
   [] Is the RPC server file
   [] Potential executable arbitrary deletion: cryptsvc.dll
   [+] Target: dhcpcore.dll
   [] Is the RPC server file
   [] Potential executable arbitrary deletion: dhcpcore.dll
   [+] Target: dhcpcore6.dll
   [] Is the RPC server file
   [*] Potential executable arbitrary deletion: dhcpcore6.dll

[1] [2] [3] [4] [5] [6] [7] [8] next