a view into alpc rpc
play

A view into ALPC-RPC UAC Advanced features & vulnerability - PowerPoint PPT Presentation

Jun 01, 2023 •49 likes •549 views

A view into ALPC-RPC Introduction ALPC RPC A view into ALPC-RPC UAC Advanced features & vulnerability research Clment Rouault & Thomas Imbert CVE-2017-11783 PacSec Conclusion November 2017 Clment Rouault & Thomas

  1. A view into ALPC-RPC Introduction ALPC RPC A view into ALPC-RPC UAC Advanced features & vulnerability research Clément Rouault & Thomas Imbert CVE-2017-11783 PacSec Conclusion November 2017 Clément Rouault & Thomas Imbert PacSec

  2. Agenda A view into ALPC-RPC Introduction ALPC RPC UAC ALPC Advanced features & vulnerability RPC research UAC CVE-2017-11783 Conclusion Advanced features & vulnerability research CVE-2017-11783 Clément Rouault & Thomas Imbert PacSec

  3. Agenda A view into ALPC-RPC Introduction ALPC RPC UAC Introduction 1 Advanced features & vulnerability research CVE-2017-11783 Conclusion Clément Rouault & Thomas Imbert PacSec

  4. Where does this talk come from ? A view into ALPC-RPC Introduction ALPC User Account Control RPC We were curious about the UAC. UAC Advanced features Only API we found was ShellExecuteA & vulnerability research How to trigger the UAC manually ? CVE-2017-11783 We knew that UAC may be triggered by RPC Conclusion We knew that ALPC allows to perform RPC So let’s explore the RPC-over-ALPC ! Clément Rouault & Thomas Imbert PacSec

  5. Existing research A view into ALPC-RPC Introduction ALPC Talks RPC LPC & ALPC Interfaces - Recon 2008 - Thomas Garnier UAC Advanced features All about the ALPC, RPC, LPC, LRPC in your PC - & vulnerability research Syscan 2014 - Alex Ionescu CVE-2017-11783 ALPC Fuzzing Toolkit - HITB 2014 - Ben Nagy Conclusion Tool RpcView (Jean-Marie Borello, Julien Boutet, Jeremy Bouetard, Yoanne Girardin) Clément Rouault & Thomas Imbert PacSec

  6. Agenda A view into ALPC-RPC Introduction ALPC RPC UAC ALPC 2 Advanced features & vulnerability research CVE-2017-11783 Conclusion Clément Rouault & Thomas Imbert PacSec

  7. Overview A view into ALPC-RPC Introduction ALPC ALPC RPC A dvanced L ocal P rocedure C all UAC Server listening on an ALPC Port Advanced features & vulnerability Client connecting to that port research CVE-2017-11783 ALPC Message Conclusion An ALPC message is composed of two parts PORT_MESSAGE : The header and data of the message ALPC_MESSAGE_ATTRIBUTES : Attributes header and data for advanced features Clément Rouault & Thomas Imbert PacSec

  8. PORT_MESSAGE A view into ALPC-RPC Introduction 0:000> dt -r combase!_PORT_MESSAGE +0x000 u1 ALPC +0x000 s1 RPC +0x000 DataLength : Int2B // Size of DATA without header UAC +0x002 TotalLength : Int2B // Size of header + DATA +0x000 Length : Uint4B Advanced features & vulnerability +0x004 u2 research +0x000 s2 CVE-2017-11783 +0x000 Type : Int2B // Message Type +0x002 DataInfoOffset : Int2B Conclusion +0x000 ZeroInit : Uint4B 0x008 ClientId : _CLIENT_ID +0x000 UniqueProcess : Ptr32 Void // Identify the client +0x004 UniqueThread : Ptr32 Void // Identify the client +0x008 DoNotUseThisField : Float +0x010 MessageId : Uint4B // Identify msg for reply +0x014 ClientViewSize : Uint4B +0x014 CallbackId : Uint4B Clément Rouault & Thomas Imbert PacSec

  9. APIs A view into ALPC-RPC Introduction Server ALPC NtAlpcCreatePort RPC UAC NtAlpcAcceptConnectPort Advanced features NtAlpcSendWaitReceivePort & vulnerability research TpCallbackSendAlpcMessageOnCompletion CVE-2017-11783 Used by rpcrt4.dll Conclusion Client NtAlpcConnectPort NtAlpcDisconnectPort NtAlpcSendWaitReceivePort Clément Rouault & Thomas Imbert PacSec

  10. Python implementation import windows # https://github.com/hakril/PythonForWindows A view into ALPC-RPC def alpc_server(): server = windows.alpc.AlpcServer(PORT_NAME) Introduction msg = server.recv() # Wait for a connection message assert msg.type & 0xfff == LPC_CONNECTION_REQUEST ALPC server.accept_connection(msg) RPC msg = server.recv() # Wait for a real message UAC print("[SERV] Received message: <{0}>".format(msg)) print("[SERV] Message data: <{0}>".format(msg.data)) Advanced features & vulnerability assert msg.type & 0xfff == LPC_REQUEST research msg.data = "REQUEST ’{0}’ DONE".format(msg.data) CVE-2017-11783 server.send(msg) # Reply as we kept the same MessageId Conclusion def alpc_client(): client = windows.alpc.AlpcClient(PORT_NAME) print("[CLIENT] Connected: {0}".format(client)) response = client.send_receive("Hello world !") print("[CLIENT] Response: <{0}>".format(response.data)) Clément Rouault & Thomas Imbert PacSec

  11. Agenda A view into ALPC-RPC Introduction ALPC RPC RPC Bind RPC 3 RPC call EpMapper RPC Bind UAC RPC call Advanced features EpMapper & vulnerability research CVE-2017-11783 Conclusion Clément Rouault & Thomas Imbert PacSec

  12. Overview A view into ALPC-RPC Introduction R emote P rocedure C all ALPC RPC Server RPC Bind RPC call EpMapper One or many endpoints UAC One or many interfaces Advanced features & vulnerability Each interface has methods research CVE-2017-11783 Endpoints Conclusion ncacn_ip_tcp : IP + port ncacn_np : \pipe\my_endpoint ncalrpc : \RPC Control\my_alpc_port ... Clément Rouault & Thomas Imbert PacSec

  13. RpcView A view into ALPC-RPC Introduction ALPC RPC RPC Bind RPC call EpMapper UAC Advanced features & vulnerability research CVE-2017-11783 Conclusion Clément Rouault & Thomas Imbert PacSec

  14. RPC call steps A view into ALPC-RPC Introduction ALPC RPC RPC Bind RPC call EpMapper UAC Advanced features & vulnerability research CVE-2017-11783 Conclusion Clément Rouault & Thomas Imbert PacSec

  15. RpcBindRequest A view into ALPC-RPC class ALPC_RPC_BIND(ctypes.Structure): Introduction _pack_ = 1 _fields_ = [ ALPC ("request_type", gdef.DWORD), RPC ("UNK1", gdef.DWORD), RPC Bind ("UNK2", gdef.DWORD), RPC call EpMapper ("target", gdef.RPC_IF_ID), # Interface GUID + Version UAC ("flags", gdef.DWORD), # Bind to NDR32 | NDR64 | ?? ("if_nb_ndr32", gdef.USHORT), # If number for NDR32 Advanced features ("if_nb_ndr64", gdef.USHORT), & vulnerability research ("if_nb_unkn", gdef.USHORT), ("PAD", gdef.USHORT), CVE-2017-11783 ("register_multiple_syntax", gdef.DWORD), Conclusion ("use_flow", gdef.DWORD), ("UNK5", gdef.DWORD), ("maybe_flow_id", gdef.DWORD), ("UNK7", gdef.DWORD), ("some_context_id", gdef.DWORD), ("UNK9", gdef.DWORD), ] Clément Rouault & Thomas Imbert PacSec

  16. Build a minimal request & reponse A view into ALPC-RPC request Introduction ALPC req = ALPC_RPC_BIND() RPC req.request_type = gdef.RPC_REQUEST_TYPE_BIND RPC Bind req.target = gdef.RPC_IF_ID(uuid, *syntaxversion) RPC call req.flags = gdef.BIND_IF_SYNTAX_NDR32 EpMapper req.if_nb_ndr32 = requested_if_nb UAC req.if_nb_ndr64 = 0 Advanced features req.if_nb_unkn = 0 & vulnerability req.register_multiple_syntax = False research CVE-2017-11783 Response Conclusion Also a ALPC_RPC_BIND request_type == RPC_RESPONSE_TYPE_BIND_OK(1) Some fields may change to reflect the request actually handled by the server Clément Rouault & Thomas Imbert PacSec

  17. RpcCall A view into ALPC-RPC class ALPC_RPC_CALL(ctypes.Structure): Introduction _pack_ = 1 _fields_ = [ ALPC ("request_type", gdef.DWORD), RPC ("UNK1", gdef.DWORD), RPC Bind ("flags",gdef.DWORD), RPC call EpMapper ("request_id", gdef.DWORD), UAC ("if_nb", gdef.DWORD), ("method_offset", gdef.DWORD), Advanced features ("UNK2", gdef.DWORD), & vulnerability research ("UNK3", gdef.DWORD), ("UNK4", gdef.DWORD), CVE-2017-11783 ("UNK5", gdef.DWORD), Conclusion ("UNK6", gdef.DWORD), ("UNK7", gdef.DWORD), ("UNK8", gdef.DWORD), ("UNK9", gdef.DWORD), ("UNK10", gdef.DWORD), ("UNK11", gdef.DWORD), ] Clément Rouault & Thomas Imbert PacSec

  18. Build a minimal RPC Call A view into ALPC-RPC Introduction ALPC RPC req = ALPC_RPC_CALL() RPC Bind req.request_type = gdef.RPC_REQUEST_TYPE_CALL RPC call req.flags = 0 EpMapper req.request_id = 0x11223344 UAC req.if_nb = interface_nb Advanced features req.method_offset = method_offset & vulnerability return buffer(req)[:] + params research CVE-2017-11783 A lot of fields are not identified yet Conclusion params is the marshalling of the method parameters Clément Rouault & Thomas Imbert PacSec

  19. N etwork D ata R epresentation (NDR) A view into ALPC-RPC N etwork D ata R epresentation (NDR) Introduction "The role of NDR is to provide a mapping of IDL ALPC data types onto octet streams" RPC RPC Bind Documented: http://pubs.opengroup.org/ RPC call EpMapper onlinepubs/9629399/chap14.htm UAC Advanced features Microsoft Transfert Syntax & vulnerability research 71710533-BEBA-4937-8319-B5DBEF9CCC36 v1.0 NDR CVE-2017-11783 Conclusion 8A885D04-1CEB-11C9-9FE8-08002B104860 v2.0 NDR64 B4537DA9-3D03-4F6B-B594-52B2874EE9D0 v1.0 ??? Please tell us if you find out this one :) We implemented part of NDR32 in Python for this project Clément Rouault & Thomas Imbert PacSec

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

You can view your nodes* *And you can view your friends, but you cant view your friends

You can view your nodes* *And you can view your friends, but you cant view your friends

You can view your nodes* *And you can view your friends, but you cant view your friends nodes.** ** Well, yeah, you can, but you need more modules. Important note! This is a beginners intro to building Views. If you are already

955 views • 67 slides
IGES view on new market IGES view on new market- IGES view on new market IGES view on new market

IGES view on new market IGES view on new market- IGES view on new market IGES view on new market

Institute for Global Environmental Strategies Towards sustainable development - policy oriented, practical and strategic research on global environmental issues IGES view on new market IGES view on new market- IGES view on new market IGES view

164 views • 4 slides
View Volumes Canonical View Volumes Why Canonical View Volumes? University of British Columbia

View Volumes Canonical View Volumes Why Canonical View Volumes? University of British Columbia

View Volumes Canonical View Volumes Why Canonical View Volumes? University of British Columbia CPSC 314 Computer Graphics Jan-Apr 2016 standardized viewing volume representation specifies field-of-view, used for clipping permits

52 views • 3 slides
Cumbernauld Academy Existing aerial view from west Site Plan Aerial view from South Aerial view

Cumbernauld Academy Existing aerial view from west Site Plan Aerial view from South Aerial view

Cumbernauld Academy Existing aerial view from west Site Plan Aerial view from South Aerial view from Kildrum Road Aerial view from western entrance View from southern playground View of school entrance View from site entrance View of

456 views • 18 slides
MICHELANGELO a different view MICHELANGELO a different view The exhibition allows visitors

MICHELANGELO a different view MICHELANGELO a different view The exhibition allows visitors

MICHELANGELO a different view MICHELANGELO a different view The exhibition allows visitors to view the paintings from a distance of only two meters with no time constraints. Numerous motifs were painted into the vaulted ceiling of the

586 views • 3 slides
101 iOS Container View Controllers Container View Controllers Display a view controller inside

101 iOS Container View Controllers Container View Controllers Display a view controller inside

101 iOS Container View Controllers Container View Controllers Display a view controller inside another view controller Great for reuse Great for decomposing Special segue: embed Set up with prepareForSegue View Hierarchy Tab Bar VC Main

544 views • 7 slides
Campsie View School 1 Campsie View at the Movies 2 Campsie View School 21 Teachers 34

Campsie View School 1 Campsie View at the Movies 2 Campsie View School 21 Teachers 34

Campsie View School 1 Campsie View at the Movies 2 Campsie View School 21 Teachers 34 Support Staff 78 Pupils Adam 3 High School Musical The Stars Nominated Oscar Winners Mason Eadie Quadriplegic Cerebral Palsy

569 views • 20 slides
Cate Construction Projects April 2019 View from Day Walkway View from Kirby Quad View from

Cate Construction Projects April 2019 View from Day Walkway View from Kirby Quad View from

Cate Construction Projects April 2019 View from Day Walkway View from Kirby Quad View from Aquatic Center First Floor Entry courtyard Servery &amp; Kitchen Gallery Booth Commons Two fireplaces Accommodates 350 students

285 views • 17 slides
Parent View Summer Term 2015 Why is Parent View important? Parent View takes just a few

Parent View Summer Term 2015 Why is Parent View important? Parent View takes just a few

Parent View Summer Term 2015 Why is Parent View important? Parent View takes just a few minutes to complete Ofsted imposes no restrictions on its use in a group setting for example at a parents evening, where multiple users

416 views • 8 slides
Collaborative View Synthesis for Interactive Multi-view Video Streaming Fei Chen, Jiangchuan

Collaborative View Synthesis for Interactive Multi-view Video Streaming Fei Chen, Jiangchuan

Collaborative View Synthesis for Interactive Multi-view Video Streaming Fei Chen, Jiangchuan Liu, Yuan Zhao , Edith Cheuk-Han Ngai Outline Background System Description View Synthesis Collaboration Strategy View Synthesis

201 views • 17 slides
The Pilots View. 9th November 2017 Capt. Hywel Pugh Pilot Port Of London Pilots View. Tug

The Pilots View. 9th November 2017 Capt. Hywel Pugh Pilot Port Of London Pilots View. Tug

The Pilots View. 9th November 2017 Capt. Hywel Pugh Pilot Port Of London Pilots View. Tug Captains View. Quay View. Modern aids. Tablet or Lap top, navigation software and a interface for Position, Rate of Turn and AIS. Stand Alone

490 views • 22 slides
A View From The Top 1 VA Psychology in Central Office: A View From the Top 1 Charles

A View From The Top 1 VA Psychology in Central Office: A View From the Top 1 Charles

A View From The Top 1 VA Psychology in Central Office: A View From the Top 1 Charles A Stenger, PhD I. Introduction Perspective First I want to add a little more background to Rod Baker's earlier remarks. At the close of World War

188 views • 6 slides
Proposed Site Plan 33 Visualisation of the main entrance from Mansfield Road 34 View of the

Proposed Site Plan 33 Visualisation of the main entrance from Mansfield Road 34 View of the

Proposed Site Plan 33 Visualisation of the main entrance from Mansfield Road 34 View of the Porters Lodge in Winter 35 View of East Quad and existing Savile House 36 View of Main Quad 37 View of New Warham House 38 View of New College

196 views • 18 slides
http://www.writingwrocks.com/eportfolio/view/artefact.php?artefact=19132&amp;view=4623

http://www.writingwrocks.com/eportfolio/view/artefact.php?artefact=19132&amp;view=4623

http://www.writingwrocks.com/eportfolio/view/artefact.php?artefact=19132&amp;view=4623 http://www.writingwrocks.com/eportfolio/view/artefact.php?artefact=16954&amp;view=3069 What are the experiences of faculty who Gender Degree Years Division

911 views • 9 slides
Classes: Detailed View vs. Compact View (1) Drawing a Design Diagram using the Business Object

Classes: Detailed View vs. Compact View (1) Drawing a Design Diagram using the Business Object

Classes: Detailed View vs. Compact View (1) Drawing a Design Diagram using the Business Object Notation (BON) Detailed view shows a selection of: features (queries and/or commands) contracts (class invariant and feature

669 views • 7 slides
Patterns (view) SWEN-343 From Fowler, Patterns of Enterprise Application Architecture View

Patterns (view) SWEN-343 From Fowler, Patterns of Enterprise Application Architecture View

Web Presentation Patterns (view) SWEN-343 From Fowler, Patterns of Enterprise Application Architecture View Patterns Concerns How to construct a view (a web page) in response to application processing? How to generate the detailed HTML

464 views • 11 slides
Security Requirement and Implementation Solution for e-Gov System Chuan Liu

Security Requirement and Implementation Solution for e-Gov System Chuan Liu

Security Requirement and Implementation Solution for e-Gov System Chuan Liu liuchuan@tongtech.com TongTech Co., Ltd 2006-11 Agenda Introduction of E-Gov (Platform) Requirement of Identity Management &amp; Authorization

749 views • 21 slides
rt r r

rt r r

rt r r t r r tr rt r

820 views • 71 slides
Basic Communication Operations Ananth Grama, Anshul Gupta, George Karypis, and Vipin Kumar To

Basic Communication Operations Ananth Grama, Anshul Gupta, George Karypis, and Vipin Kumar To

Basic Communication Operations Ananth Grama, Anshul Gupta, George Karypis, and Vipin Kumar To accompany the text Introduction to Parallel Computing, Addison Wesley, 2003. Topic Overview One-to-All Broadcast and All-to-One Reduction

1.11k views • 71 slides
` http://distributedcomponents.net Ilya Sergey James R. Wilcox Zach Tatlock Distributed

` http://distributedcomponents.net Ilya Sergey James R. Wilcox Zach Tatlock Distributed

Programming and Proving with Distributed Protocols Disel: Distributed Separation Logic { P } c { Q } ` http://distributedcomponents.net Ilya Sergey James R. Wilcox Zach Tatlock Distributed Systems Distributed Infrastructure Distributed

727 views • 70 slides
Typing Copyless Message Passing Viviana Bono Chiara Messa Luca Padovani Dipartimento di

Typing Copyless Message Passing Viviana Bono Chiara Messa Luca Padovani Dipartimento di

Typing Copyless Message Passing Viviana Bono Chiara Messa Luca Padovani Dipartimento di Informatica, Universit` a di Torino BTW 2011 Typing Copyless Message Passing (V. Bono) BTW 2011 1 / 25 Singularity OS: architecture Processes (SIPs)

806 views • 46 slides
Fast Data apps with Alpakka Kafka connector Sean Glover, Lightbend @seg1o Who am I? Im Sean

Fast Data apps with Alpakka Kafka connector Sean Glover, Lightbend @seg1o Who am I? Im Sean

Fast Data apps with Alpakka Kafka connector Sean Glover, Lightbend @seg1o Who am I? Im Sean Glover Senior Software Engineer at Lightbend Member of the Fast Data Platform team Organizer of Scala Toronto (scalator)

694 views • 58 slides
CORE SECURITY Breaking Out of VirtualBox through 3D Acceleration Francisco Falcon (@fdfalcon)

CORE SECURITY Breaking Out of VirtualBox through 3D Acceleration Francisco Falcon (@fdfalcon)

CORE SECURITY Breaking Out of VirtualBox through 3D Acceleration Francisco Falcon (@fdfalcon) REcon 2014 P A G E About me Exploit writer for Core Security. From Argentina. Interested in the usual stuff: reverse engineering,

1.17k views • 94 slides
COMP31212: Concurrency Topics 4.3: Message Passing Topic 4.3: Message Passing Outline Topic

COMP31212: Concurrency Topics 4.3: Message Passing Topic 4.3: Message Passing Outline Topic

Topic 4.3: Message Passing COMP31212: Concurrency Topics 4.3: Message Passing Topic 4.3: Message Passing Outline Topic 4.3: Message Passing Background Synchronous Message Passing Asynchronous Message Passing Channel Selection Topic 4.3:

382 views • 36 slides

More recommend