One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8221940 |
| Date de publication | 2022-08-23 12:22:51 (vue: 2022-11-25 18:05:33) |
| Titre | Windows Exploitation Tricks: Relaying DCOM Authentication |
| Texte | Posted by James Forshaw, Project Zero In my previous blog post I discussed the possibility of relaying Kerberos authentication from a DCOM connection. I was originally going to provide a more in-depth explanation of how that works, but as it's quite involved I thought it was worthy of its own blog post. This is primarily a technique to get relay authentication from another user on the same machine and forward that to a network service such as LDAP. You could use this to escalate privileges on a host using a technique similar to a blog post from Shenanigans Labs but removing the requirement for the WebDAV service. Let's get straight to it.Background The technique to locally relay authentication for DCOM was something I originally reported back in 2015 (issue 325). This issue was fixed as CVE-2015-2370, however the underlying authentication relay using DCOM remained. This was repurposed and expanded upon by various others for local and remote privilege escalation in the RottenPotato series of exploits, the latest in that line being RemotePotato which is currently unpatched as of October 2021. The key feature that the exploit abused is standard COM marshaling. Specifically when a COM object is marshaled so that it can be used by a different process or host, the COM runtime generates an OBJREF structure, most commonly the OBJREF_STANDARD form. This structure contains all the information necessary to establish a connection between a COM client and the original object in the COM server. Connecting to the original object from the OBJREF is a two part process:The client extracts the Object Exporter ID (OXID) from the structure and contacts the OXID resolver service specified by the RPC binding information in the OBJREF.The client uses the OXID resolver service to find the RPC binding information of the COM server which hosts the object and establishes a connection to the RPC endpoint to access the object's interfaces. Both of these steps require establishing an MSRPC connection to an endpoint. Commonly this is either locally over ALPC, or remotely via TCP. If a TCP connection is used then the client will also authenticate to the RPC server using NTLM or Kerberos based on the security bindings in the OBJREF. |
| Envoyé | Oui |
| Condensat | $allow $allow = $null $env:windir $f in $ $mgr $mgr = new $name $port &mgr $null $port &allowed &restricted 2 6 clsctx coinitializesecurity from hook iid int portnumber is net null portnumber rpc 0:x08 0bae55fc 0x800706ba 12345 127 135 1809 1809/server 2015 2019 2021 2147483646 2370 325 325 i 325 is 45c2 479f 972e 9999 ::bindtomoniker = allowed = true; == variant >authnlevel >isportallowed >unsafeloopbackauth able above abused access accessible accessing accidentally account accounts achieve act activating activator actually add added additional address administrator administrators advapi32 affecting after again all allow allowed allowed; allows alpc already also although always amount and/or andrea another antonio any anything api apis appear appears appended arbitrary are args argument around asauthsvc parameter ask assessed assigned assigned to assumes attack attacks attempt attr attribute authenticate authenticated authenticating authentication authentication which authn authnlevel automatically available back background bar based basic because been before behavior being below best better between big bind binding binding: bindings bindtomoniker bit block blog bonus bool boolval both breaking build built builtin but byte c++ call callback called calling calls came can candidate capabilities capture capturing case causes change changes charset check checking checks choose choosing class clear clearly client client to clients cloaking close clsid clsid: cocomazzi and cocreateinstance code cogetinstancefromistorage api coinitializesecurity coinitializesecurity in coinitializesecurity will com come comes command: commonly communicate communication comobject comobjrefstandard complete complex computer concatenated conclusion confident configuration configure connect connect and connect authentication connect is connecting connection connections connects consider considers console construct contacts contain containing contains context context::validateupgradecriteria context::validateupgradecriteria method controller convert convince correctly could course covers create creates createsubkey credentials cremoteapplifetimemanager currentcontrolset currently currentuser cve dance dangerousgethandle data dce dcom decided default defender delay deletesubkeytree denied dependencies depth described design detecting determine developed dialog didn different difficult digging directly disadvantage disassembler discussed dismissed distasteful dll dllimport dllmain does doesn doing domain don done dummy during dwauthnsvc dword dynamic dynamically e951be72c0c1 easily effective effort either elevate else enable enables enabling encryption end endpoint endpoints enforce enforcing enough ensures enterprise enumerates enumerating eoac eole error escalate escalation escape especially establish established establishes establishing even eventually every everything example exception exe exe process executable exercise existing expanded expected explanation exploit exploitation exploits exported exporter extended external extracts fail failure fake false feature felt fewer file filename files final finally find firewall first fixed fixing flag focussing follow following forcing foreach form format forshaw fortunately forward found from fromarray full fullname function function test function: functions further fwmgr fwmgr com generate generates get getmarshalledobject getmodulefilename gets given goals going good got grant granted gss guarantee had handle happy harder has have help hkey hklm hnetcfg hnewhkey hook hooking hooks hopefully host host $f host/dc hosted hostname hosts how however hresult: hunting iat ideally ideas identify if ignore ignored image imagefilename imagepathname field immediately imp impersonate impersonate could impersonation implement implement |
| Tags | Technical |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.