One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 706169 |
| Date de publication | 2018-06-15 15:19:13 (vue: 2018-06-15 16:00:59) |
| Titre | Marshalling to SYSTEM - An analysis of CVE-2018-0624 |
| Texte | In May 2018 Microsoft patched an interesting vulnerability which was reported by Nicolas Joly of Microsoft's MSRC: A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The security update addresses the vulnerability by correcting how "Microsoft COM for Windows" handles serialized objects. The keywords "COM" and "serialized" pretty much jumped into my face when the advisory came out. Since I had already spent several months of research time on Microsoft COM last year I decided to look into it. Although the vulnerability can result in remote code execution, I'm only interested in the privilege escalation aspects. Before I go into details I want to give you a quick introduction into COM and how deserialization/marshalling works. As I'm far from being an expert on COM, all this information is either based on the great book "Essential COM" by Don Box or the awesome Infiltrate '17 Talk "COM in 60 seconds". I have skipped several details (IDL/MIDL, Apartments, Standard Marshalling, etc.) just to keep the introduction short. Introduction to COM and MarshallingCOM (Component Object Model) is a Windows middleware having reusable code (=component) as a primary goal. In order to develop reusable C++ code, Microsoft engineers designed COM in an object-oriented manner having the following key aspects in mind: Portability Encapsulation Polymorphism Separation of interfaces from implementation Object extensibility Resource Management Language independence COM objects are defined by an interface and implementation class. Both interface and implementation class are identified by a GUID. A COM object can implement several interfaces using inheritance.All COM objects implement the IUnknown interface which looks like the following class definition in C++: The QueryInterface() method is used to cast a COM object to a different interface implemented by the COM object. The AddRef() and Release() methods are used for reference counting. Just to keep it short I rather go on with an existing COM object instead of creating an artificial example COM object.A Control Panel COM object is identified by the GUID {06622D85-6856-4460-8DE1-A81921B41C4B}. To find out more about the COM object we could analyze the registry manually or just use the great tool "OleView .NET". |
| Envoyé | Oui |
| Condensat | 0624 06622d85 2018 4460 6856 8de1 909 947 a81921b41c4b activate active activexobject after allowed also although analysis anything api armed aspect bad being bindtoobject bits blog browser but call called can checking class clsid cmarshalinterceptor::loadandcompose cmarshalinterceptor::unmarshalinterface cogetinstancefromistorage com compose composing compositemoniker composition covers create created current custom cve data didn different doesn early eoac escalation exe exercise exit fakeobject file final finally first flag following found from function github had haifei has have height= igas/s1600/6 imarshal::marshalinterface imoniker imoniker::composewith implement implemented input instance interface invoking isn istorage istream knowledge later leave local main marshal marshalling method microsoft moniker monikers net new not notepad now office oleloadfromstream oleview one only original out parameter part passed patchmicrosoft placed png poc pointer post previous privilege read reader reading recursively related remembered requires running runs screenshots script sct searchindexer see seen serialization server service set since storage stored support sure system takeawaysserialization/unmarshalling target temp that then thread tried trigger triggered two using validating vulnerability way which width= will without work |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.