a view into alpc rpc
play

A view into ALPC-RPC UAC Advanced features & vulnerability - PowerPoint PPT Presentation

Jun 01, 2023 •49 likes •549 views

A view into ALPC-RPC Introduction ALPC RPC A view into ALPC-RPC UAC Advanced features & vulnerability research Clment Rouault & Thomas Imbert CVE-2017-11783 PacSec Conclusion November 2017 Clment Rouault & Thomas

  1. A view into ALPC-RPC Introduction ALPC RPC A view into ALPC-RPC UAC Advanced features & vulnerability research Clément Rouault & Thomas Imbert CVE-2017-11783 PacSec Conclusion November 2017 Clément Rouault & Thomas Imbert PacSec

  2. Agenda A view into ALPC-RPC Introduction ALPC RPC UAC ALPC Advanced features & vulnerability RPC research UAC CVE-2017-11783 Conclusion Advanced features & vulnerability research CVE-2017-11783 Clément Rouault & Thomas Imbert PacSec

  3. Agenda A view into ALPC-RPC Introduction ALPC RPC UAC Introduction 1 Advanced features & vulnerability research CVE-2017-11783 Conclusion Clément Rouault & Thomas Imbert PacSec

  4. Where does this talk come from ? A view into ALPC-RPC Introduction ALPC User Account Control RPC We were curious about the UAC. UAC Advanced features Only API we found was ShellExecuteA & vulnerability research How to trigger the UAC manually ? CVE-2017-11783 We knew that UAC may be triggered by RPC Conclusion We knew that ALPC allows to perform RPC So let’s explore the RPC-over-ALPC ! Clément Rouault & Thomas Imbert PacSec

  5. Existing research A view into ALPC-RPC Introduction ALPC Talks RPC LPC & ALPC Interfaces - Recon 2008 - Thomas Garnier UAC Advanced features All about the ALPC, RPC, LPC, LRPC in your PC - & vulnerability research Syscan 2014 - Alex Ionescu CVE-2017-11783 ALPC Fuzzing Toolkit - HITB 2014 - Ben Nagy Conclusion Tool RpcView (Jean-Marie Borello, Julien Boutet, Jeremy Bouetard, Yoanne Girardin) Clément Rouault & Thomas Imbert PacSec

  6. Agenda A view into ALPC-RPC Introduction ALPC RPC UAC ALPC 2 Advanced features & vulnerability research CVE-2017-11783 Conclusion Clément Rouault & Thomas Imbert PacSec

  7. Overview A view into ALPC-RPC Introduction ALPC ALPC RPC A dvanced L ocal P rocedure C all UAC Server listening on an ALPC Port Advanced features & vulnerability Client connecting to that port research CVE-2017-11783 ALPC Message Conclusion An ALPC message is composed of two parts PORT_MESSAGE : The header and data of the message ALPC_MESSAGE_ATTRIBUTES : Attributes header and data for advanced features Clément Rouault & Thomas Imbert PacSec

  8. PORT_MESSAGE A view into ALPC-RPC Introduction 0:000> dt -r combase!_PORT_MESSAGE +0x000 u1 ALPC +0x000 s1 RPC +0x000 DataLength : Int2B // Size of DATA without header UAC +0x002 TotalLength : Int2B // Size of header + DATA +0x000 Length : Uint4B Advanced features & vulnerability +0x004 u2 research +0x000 s2 CVE-2017-11783 +0x000 Type : Int2B // Message Type +0x002 DataInfoOffset : Int2B Conclusion +0x000 ZeroInit : Uint4B 0x008 ClientId : _CLIENT_ID +0x000 UniqueProcess : Ptr32 Void // Identify the client +0x004 UniqueThread : Ptr32 Void // Identify the client +0x008 DoNotUseThisField : Float +0x010 MessageId : Uint4B // Identify msg for reply +0x014 ClientViewSize : Uint4B +0x014 CallbackId : Uint4B Clément Rouault & Thomas Imbert PacSec

  9. APIs A view into ALPC-RPC Introduction Server ALPC NtAlpcCreatePort RPC UAC NtAlpcAcceptConnectPort Advanced features NtAlpcSendWaitReceivePort & vulnerability research TpCallbackSendAlpcMessageOnCompletion CVE-2017-11783 Used by rpcrt4.dll Conclusion Client NtAlpcConnectPort NtAlpcDisconnectPort NtAlpcSendWaitReceivePort Clément Rouault & Thomas Imbert PacSec

  10. Python implementation import windows # https://github.com/hakril/PythonForWindows A view into ALPC-RPC def alpc_server(): server = windows.alpc.AlpcServer(PORT_NAME) Introduction msg = server.recv() # Wait for a connection message assert msg.type & 0xfff == LPC_CONNECTION_REQUEST ALPC server.accept_connection(msg) RPC msg = server.recv() # Wait for a real message UAC print("[SERV] Received message: <{0}>".format(msg)) print("[SERV] Message data: <{0}>".format(msg.data)) Advanced features & vulnerability assert msg.type & 0xfff == LPC_REQUEST research msg.data = "REQUEST ’{0}’ DONE".format(msg.data) CVE-2017-11783 server.send(msg) # Reply as we kept the same MessageId Conclusion def alpc_client(): client = windows.alpc.AlpcClient(PORT_NAME) print("[CLIENT] Connected: {0}".format(client)) response = client.send_receive("Hello world !") print("[CLIENT] Response: <{0}>".format(response.data)) Clément Rouault & Thomas Imbert PacSec

  11. Agenda A view into ALPC-RPC Introduction ALPC RPC RPC Bind RPC 3 RPC call EpMapper RPC Bind UAC RPC call Advanced features EpMapper & vulnerability research CVE-2017-11783 Conclusion Clément Rouault & Thomas Imbert PacSec

  12. Overview A view into ALPC-RPC Introduction R emote P rocedure C all ALPC RPC Server RPC Bind RPC call EpMapper One or many endpoints UAC One or many interfaces Advanced features & vulnerability Each interface has methods research CVE-2017-11783 Endpoints Conclusion ncacn_ip_tcp : IP + port ncacn_np : \pipe\my_endpoint ncalrpc : \RPC Control\my_alpc_port ... Clément Rouault & Thomas Imbert PacSec

  13. RpcView A view into ALPC-RPC Introduction ALPC RPC RPC Bind RPC call EpMapper UAC Advanced features & vulnerability research CVE-2017-11783 Conclusion Clément Rouault & Thomas Imbert PacSec

  14. RPC call steps A view into ALPC-RPC Introduction ALPC RPC RPC Bind RPC call EpMapper UAC Advanced features & vulnerability research CVE-2017-11783 Conclusion Clément Rouault & Thomas Imbert PacSec

  15. RpcBindRequest A view into ALPC-RPC class ALPC_RPC_BIND(ctypes.Structure): Introduction _pack_ = 1 _fields_ = [ ALPC ("request_type", gdef.DWORD), RPC ("UNK1", gdef.DWORD), RPC Bind ("UNK2", gdef.DWORD), RPC call EpMapper ("target", gdef.RPC_IF_ID), # Interface GUID + Version UAC ("flags", gdef.DWORD), # Bind to NDR32 | NDR64 | ?? ("if_nb_ndr32", gdef.USHORT), # If number for NDR32 Advanced features ("if_nb_ndr64", gdef.USHORT), & vulnerability research ("if_nb_unkn", gdef.USHORT), ("PAD", gdef.USHORT), CVE-2017-11783 ("register_multiple_syntax", gdef.DWORD), Conclusion ("use_flow", gdef.DWORD), ("UNK5", gdef.DWORD), ("maybe_flow_id", gdef.DWORD), ("UNK7", gdef.DWORD), ("some_context_id", gdef.DWORD), ("UNK9", gdef.DWORD), ] Clément Rouault & Thomas Imbert PacSec

  16. Build a minimal request & reponse A view into ALPC-RPC request Introduction ALPC req = ALPC_RPC_BIND() RPC req.request_type = gdef.RPC_REQUEST_TYPE_BIND RPC Bind req.target = gdef.RPC_IF_ID(uuid, *syntaxversion) RPC call req.flags = gdef.BIND_IF_SYNTAX_NDR32 EpMapper req.if_nb_ndr32 = requested_if_nb UAC req.if_nb_ndr64 = 0 Advanced features req.if_nb_unkn = 0 & vulnerability req.register_multiple_syntax = False research CVE-2017-11783 Response Conclusion Also a ALPC_RPC_BIND request_type == RPC_RESPONSE_TYPE_BIND_OK(1) Some fields may change to reflect the request actually handled by the server Clément Rouault & Thomas Imbert PacSec

  17. RpcCall A view into ALPC-RPC class ALPC_RPC_CALL(ctypes.Structure): Introduction _pack_ = 1 _fields_ = [ ALPC ("request_type", gdef.DWORD), RPC ("UNK1", gdef.DWORD), RPC Bind ("flags",gdef.DWORD), RPC call EpMapper ("request_id", gdef.DWORD), UAC ("if_nb", gdef.DWORD), ("method_offset", gdef.DWORD), Advanced features ("UNK2", gdef.DWORD), & vulnerability research ("UNK3", gdef.DWORD), ("UNK4", gdef.DWORD), CVE-2017-11783 ("UNK5", gdef.DWORD), Conclusion ("UNK6", gdef.DWORD), ("UNK7", gdef.DWORD), ("UNK8", gdef.DWORD), ("UNK9", gdef.DWORD), ("UNK10", gdef.DWORD), ("UNK11", gdef.DWORD), ] Clément Rouault & Thomas Imbert PacSec

  18. Build a minimal RPC Call A view into ALPC-RPC Introduction ALPC RPC req = ALPC_RPC_CALL() RPC Bind req.request_type = gdef.RPC_REQUEST_TYPE_CALL RPC call req.flags = 0 EpMapper req.request_id = 0x11223344 UAC req.if_nb = interface_nb Advanced features req.method_offset = method_offset & vulnerability return buffer(req)[:] + params research CVE-2017-11783 A lot of fields are not identified yet Conclusion params is the marshalling of the method parameters Clément Rouault & Thomas Imbert PacSec

  19. N etwork D ata R epresentation (NDR) A view into ALPC-RPC N etwork D ata R epresentation (NDR) Introduction "The role of NDR is to provide a mapping of IDL ALPC data types onto octet streams" RPC RPC Bind Documented: http://pubs.opengroup.org/ RPC call EpMapper onlinepubs/9629399/chap14.htm UAC Advanced features Microsoft Transfert Syntax & vulnerability research 71710533-BEBA-4937-8319-B5DBEF9CCC36 v1.0 NDR CVE-2017-11783 Conclusion 8A885D04-1CEB-11C9-9FE8-08002B104860 v2.0 NDR64 B4537DA9-3D03-4F6B-B594-52B2874EE9D0 v1.0 ??? Please tell us if you find out this one :) We implemented part of NDR32 in Python for this project Clément Rouault & Thomas Imbert PacSec

Recommend

You can view your nodes* *And you can view your friends, but you cant view your friends

You can view your nodes* *And you can view your friends, but you cant view your friends

You can view your nodes* *And you can view your friends, but you cant view your friends nodes.** ** Well, yeah, you can, but you need more modules. Important note! This is a beginners intro to building Views. If you are already

955 views • 67 slides
IGES view on new market IGES view on new market- IGES view on new market IGES view on new market

IGES view on new market IGES view on new market- IGES view on new market IGES view on new market

Institute for Global Environmental Strategies Towards sustainable development - policy oriented, practical and strategic research on global environmental issues IGES view on new market IGES view on new market- IGES view on new market IGES view

164 views • 4 slides
View Volumes Canonical View Volumes Why Canonical View Volumes? University of British Columbia

View Volumes Canonical View Volumes Why Canonical View Volumes? University of British Columbia

View Volumes Canonical View Volumes Why Canonical View Volumes? University of British Columbia CPSC 314 Computer Graphics Jan-Apr 2016 standardized viewing volume representation specifies field-of-view, used for clipping permits

52 views • 3 slides
Cumbernauld Academy Existing aerial view from west Site Plan Aerial view from South Aerial view

Cumbernauld Academy Existing aerial view from west Site Plan Aerial view from South Aerial view

Cumbernauld Academy Existing aerial view from west Site Plan Aerial view from South Aerial view from Kildrum Road Aerial view from western entrance View from southern playground View of school entrance View from site entrance View of

456 views • 18 slides
MICHELANGELO a different view MICHELANGELO a different view The exhibition allows visitors

MICHELANGELO a different view MICHELANGELO a different view The exhibition allows visitors

MICHELANGELO a different view MICHELANGELO a different view The exhibition allows visitors to view the paintings from a distance of only two meters with no time constraints. Numerous motifs were painted into the vaulted ceiling of the

586 views • 3 slides
101 iOS Container View Controllers Container View Controllers Display a view controller inside

101 iOS Container View Controllers Container View Controllers Display a view controller inside

101 iOS Container View Controllers Container View Controllers Display a view controller inside another view controller Great for reuse Great for decomposing Special segue: embed Set up with prepareForSegue View Hierarchy Tab Bar VC Main

544 views • 7 slides
Campsie View School 1 Campsie View at the Movies 2 Campsie View School 21 Teachers 34

Campsie View School 1 Campsie View at the Movies 2 Campsie View School 21 Teachers 34

Campsie View School 1 Campsie View at the Movies 2 Campsie View School 21 Teachers 34 Support Staff 78 Pupils Adam 3 High School Musical The Stars Nominated Oscar Winners Mason Eadie Quadriplegic Cerebral Palsy

569 views • 20 slides
Cate Construction Projects April 2019 View from Day Walkway View from Kirby Quad View from

Cate Construction Projects April 2019 View from Day Walkway View from Kirby Quad View from

Cate Construction Projects April 2019 View from Day Walkway View from Kirby Quad View from Aquatic Center First Floor Entry courtyard Servery &amp; Kitchen Gallery Booth Commons Two fireplaces Accommodates 350 students

285 views • 17 slides
Parent View Summer Term 2015 Why is Parent View important? Parent View takes just a few

Parent View Summer Term 2015 Why is Parent View important? Parent View takes just a few

Parent View Summer Term 2015 Why is Parent View important? Parent View takes just a few minutes to complete Ofsted imposes no restrictions on its use in a group setting for example at a parents evening, where multiple users

416 views • 8 slides
Collaborative View Synthesis for Interactive Multi-view Video Streaming Fei Chen, Jiangchuan

Collaborative View Synthesis for Interactive Multi-view Video Streaming Fei Chen, Jiangchuan

Collaborative View Synthesis for Interactive Multi-view Video Streaming Fei Chen, Jiangchuan Liu, Yuan Zhao , Edith Cheuk-Han Ngai Outline Background System Description View Synthesis Collaboration Strategy View Synthesis

201 views • 17 slides
The Pilots View. 9th November 2017 Capt. Hywel Pugh Pilot Port Of London Pilots View. Tug

The Pilots View. 9th November 2017 Capt. Hywel Pugh Pilot Port Of London Pilots View. Tug

The Pilots View. 9th November 2017 Capt. Hywel Pugh Pilot Port Of London Pilots View. Tug Captains View. Quay View. Modern aids. Tablet or Lap top, navigation software and a interface for Position, Rate of Turn and AIS. Stand Alone

490 views • 22 slides
A View From The Top 1 VA Psychology in Central Office: A View From the Top 1 Charles

A View From The Top 1 VA Psychology in Central Office: A View From the Top 1 Charles

A View From The Top 1 VA Psychology in Central Office: A View From the Top 1 Charles A Stenger, PhD I. Introduction Perspective First I want to add a little more background to Rod Baker's earlier remarks. At the close of World War

188 views • 6 slides
Proposed Site Plan 33 Visualisation of the main entrance from Mansfield Road 34 View of the

Proposed Site Plan 33 Visualisation of the main entrance from Mansfield Road 34 View of the

Proposed Site Plan 33 Visualisation of the main entrance from Mansfield Road 34 View of the Porters Lodge in Winter 35 View of East Quad and existing Savile House 36 View of Main Quad 37 View of New Warham House 38 View of New College

196 views • 18 slides
http://www.writingwrocks.com/eportfolio/view/artefact.php?artefact=19132&amp;view=4623

http://www.writingwrocks.com/eportfolio/view/artefact.php?artefact=19132&amp;view=4623

http://www.writingwrocks.com/eportfolio/view/artefact.php?artefact=19132&amp;view=4623 http://www.writingwrocks.com/eportfolio/view/artefact.php?artefact=16954&amp;view=3069 What are the experiences of faculty who Gender Degree Years Division

911 views • 9 slides
Classes: Detailed View vs. Compact View (1) Drawing a Design Diagram using the Business Object

Classes: Detailed View vs. Compact View (1) Drawing a Design Diagram using the Business Object

Classes: Detailed View vs. Compact View (1) Drawing a Design Diagram using the Business Object Notation (BON) Detailed view shows a selection of: features (queries and/or commands) contracts (class invariant and feature

669 views • 7 slides
Patterns (view) SWEN-343 From Fowler, Patterns of Enterprise Application Architecture View

Patterns (view) SWEN-343 From Fowler, Patterns of Enterprise Application Architecture View

Web Presentation Patterns (view) SWEN-343 From Fowler, Patterns of Enterprise Application Architecture View Patterns Concerns How to construct a view (a web page) in response to application processing? How to generate the detailed HTML

464 views • 11 slides
Model-view-controller View hierarchy

Model-view-controller View hierarchy

Model-view-controller View hierarchy Observer Fall 2004 6.831 UI Design and

436 views • 6 slides
The Mormon view of god, in contrast with the Christian view of God, part one AND Critical

The Mormon view of god, in contrast with the Christian view of God, part one AND Critical

What is the Mormon Church. . . . . really? The Mormon view of god, in contrast with the Christian view of God, part one AND Critical thinking, as an important skill for a disciple of Jesus Teacher, Yvon Prehn Check out the website:

145 views • 12 slides
Indiana, PA West View of IRMC Presentation Outline Southeast View of IRMC Introduction

Indiana, PA West View of IRMC Presentation Outline Southeast View of IRMC Introduction

West View of IRMC Southeast View of IRMC Structural Option Indiana Regional Medical Center Indiana, PA West View of IRMC Presentation Outline Southeast View of IRMC Introduction Existing Structure Thesis Goals Structural Depth Lighting

619 views • 25 slides
View from our house prior to TAG Oil Sarah Roberts View from our house TAG Oil at Cheal B

View from our house prior to TAG Oil Sarah Roberts View from our house TAG Oil at Cheal B

View from our house prior to TAG Oil Sarah Roberts View from our house TAG Oil at Cheal B (courtesy Pip Guthrie, The Listener, January 2012) The report notes while regular visual monitoring by council inspectors, and ad hoc sampling in

501 views • 22 slides
VTC Series video cart basic dimensions front view side view rear view monitor and camera

VTC Series video cart basic dimensions front view side view rear view monitor and camera

2 alldimensionsininchesunlessotherwisenoted[alldimensionsinbracketsareinmillimeters] VTC Series video cart basic dimensions front view side view rear view monitor and camera mounts A removed for

73 views • 6 slides
NEXT GENERATION SURROUND-VIEW FOR CARS MIGUEL SAINZ &amp; TIMO STICH, NVIDIA OVERVIEW What is

NEXT GENERATION SURROUND-VIEW FOR CARS MIGUEL SAINZ &amp; TIMO STICH, NVIDIA OVERVIEW What is

NEXT GENERATION SURROUND-VIEW FOR CARS MIGUEL SAINZ &amp; TIMO STICH, NVIDIA OVERVIEW What is Surround View? The Image Based Rendering Approach Visual Odometry Benefits Demo WHAT IS SURROUND VIEW? Multi-camera ADAS Virtual views Top view

513 views • 15 slides
Testing Qt Model-View Implementations Stephen Kelly July 2010 T esting Model-View

Testing Qt Model-View Implementations Stephen Kelly July 2010 T esting Model-View

Testing Qt Model-View Implementations Stephen Kelly July 2010 T esting Model-View Implementations Designing testable code High-level Model-View design T est-drivers and mock objects Unit test execution KDE ItemViews

268 views • 23 slides
Recognises your face and voice Kinect Adventures What the Kinect Sees top view side view

Recognises your face and voice Kinect Adventures What the Kinect Sees top view side view

D EPTH , H UMAN P OSE , AND C AMERA P OSE JAMIE SHOTTON Depth sensing camera Tracks 20 body joints in real time Recognises your face and voice Kinect Adventures What the Kinect Sees top view side view depth image (camera view)

1.01k views • 79 slides

More recommend