One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8644882 |
| Date de publication | 2025-01-30 09:57:50 (vue: 2025-01-30 18:07:34) |
| Titre | Windows Bug Class: Accessing Trapped COM Objects with IDispatch |
| Texte | Posted by James Forshaw, Google Project Zero Object orientated remoting technologies such as DCOM and .NET Remoting make it very easy to develop an object-orientated interface to a service which can cross process and security boundaries. This is because they\'re designed to support a wide range of objects, not just those implemented in the service, but any other object compatible with being remoted. For example, if you wanted to expose an XML document across the client-server boundary, you could use a pre-existing COM or .NET library and return that object back to the client. By default when the object is returned it\'s marshaled by reference, which results in the object staying in the out-of-process server. This flexibility has a number of downsides, one of which is the topic of this blog, the trapped object bug class. Not all objects which can be remoted are necessarily safe to do so. For example, the previously mentioned XML libraries, in both COM and .NET, support executing arbitrary script code in the context of an XSLT document. If an XML document object is made accessible over the boundary, then the client could execute code in the context of the server process, which can result in privilege escalation or remote-code execution. There are a number of scenarios that can introduce this bug class. The most common is where an unsafe object is shared inadvertently. An example of this was CVE-2019-0555. This bug was introduced because when developing the Windows Runtime libraries an XML document object was needed. The developers decided to add some code to the existing XML DOM Document v6 COM object which exposed the runtime specific interfaces. As these runtime interfaces didn\'t support the XSLT scripting feature, the assumption was this was safe to expose across privilege boundaries. Unfortunately a malicious client could query for the old IXMLDOMDocument interface which was still accessible and use it to run an XSLT script and escape a sandbox. Another scenario is where there exists an asynchronous marshaling primitive. This is where an object can be marshaled both by value and by reference and the platform chooses by reference as the default mechanism, For example the FileInfo and DirectoryInfo .NET classes are both serializable, so can be sent to a .NET remoting service marshaled by value. But they also derive from the MarshalByRefObject class, which means they can be marshaled by reference. An attacker can leverage this by sending to the server a serialized form of the object which when deserialized will create a new instance of the object in the server\'s process. If the attacker can read back the created object, the runtime will marshal it back to the attacker by reference, leaving the object trapped in the server process. Finally the attacker can call |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | $base $cls $cls = get $cls | $font $href $iid $lib $obj $parsed $parsed = $lib $path $path $path = $stdole $ti &is &flags &handle &level &protection 00020430 0123456789abcdef 0be35203 1 12 229 3ff1aab8 72566e27 89 9e175b68 9e175b6d : trustedsignature argument bef6e002 bef6e003 bfe18e9c clsid error status 0x failed get handle hasproxy key let mz null try installing the program again using the uuid version typelibid 0 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 0000 000000000046 00000000: 00000000: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 00000010: 00000010: b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00000020: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000030: 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 00020430 00104b3646c0 00aa00300cab 00aa004bb851 0123456789abcdef 0211 0257 0555 0be35203 0be35204 0x804 0xc000007b 101a 11ce 11d4 11d8 185 1abb 2011 which 2014 2017 2019 24h2 27020 30319 41ca 4450 456b 4eb3 4f14 505054503030 6d87 72566e27 825d 8bba 8df7 8ed2e21a866f 8f91 9de3 9ea82395 : : b9590ce5b1b3f377eaa6f455574c977919bb785f12a444beb2 : windows >handle; a46d a874 able about abuse abusing access accessed accessible accessing achieve across activex add admin administrator admittedly after again ahead all allowdcomreflection allowdcomreflection with allowed allows almost already also although always analysis another any anyone anything api appcontainer appidentry applicable approach appropriate arbitrary are around array aside assembly assembly::load method assumes assumption asynchronous attack attacker attacking attacks authenticodesignature the automatically automaticupdates automation available b37c b4f0 b9a5 back background bad image base based basically because been before behavior being below: better binding bit blocked blocking blocks blog blogged blogged about bool is both boundaries boundary bug buggyness bugs built bulletin but bypass byte byte level; bytes c++ c000 cached call called calling can candidates cantloadlibrary care case cases catalog caused certainly certificate change changed changes check checking checkprotectedprocessforhardening choose chooses choosing class class: classes classes | select name cleanup clear client clsid clsid 72566e27 clément coclass cocreateinstance cocreateinstance api code com combination comclass comclass comclass returns cominterface command common commonly comobject comobjref $font comobjref $lib comobjref then compatible components comtypelib comtypelib command conclusions confident configuration configured confusion confusions consider consumed containing contains context control corresponding corresponds could couldn course creatable create created createinstance createinstance is createinstance method createinstance will creates creating cross crucially current cve dcom dead decide decided default define defined demonstrate derive deserialized designed develop developer developers developing didn difference different dig digging directly directoryinfo discuss discussed discussion disk display diving dll dll i document documentation does doesn dom don done downsides dump during dword e02f0b373803 e31b easier easy eb431cb1cb32 ec1c |
| Tags | Malware Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.