logo
allArticlesConferencesPresentations

Exploiting Windows COM/WinRT Services

Conference:  BlackHat USA 2021

2021-08-05

Summary

The presentation discusses vulnerabilities in the Silicon Thread Model and provides solutions for exploiting them.
  • The presentation highlights vulnerabilities related to the Cons 36 Constraint Safety and provides a spray approach for the Mobius COM enemy RT.
  • The presentation explains how to exploit the tab confusion bug in the IHRML Document interface function.
  • The presentation discusses the vulnerability refund issue in the IWhatIsCustomProperty interface.
  • The presentation provides solutions for exploiting these vulnerabilities, including using the hip spring to achieve code execution and creating multiple IWhatIsCustomProperty objects to write arbitrary data.
The presentation explains how to exploit the tab confusion bug in the IHRML Document interface function by using the read function, which copies 24 bytes of binary data into an unknown data array and uses the last 8 bytes as the return object address. Attackers can fully control the Nintendo object address, allowing for code execution. To achieve this on an x64 system, an extra informative bug is needed to leak the location of the fake object.

Abstract

The Component Object Model (COM) and Windows Runtime (WinRT) are widely used in windows systems, they are often used for cross-process communication and UWP Application. Both of them provide large attack surfaces for hackers to hunt for LPE, RCE and Sandbox Escape vulnerabilities. In the past year, we have found more than 100 bugs in COM/WinRT service. We classify these vulnerabilities according to their different types (UAF, OOB READ/WRITE, Type Confusion, Arbitrary READ/WRITE). We'll share how we found these bugs and our exploit tricks for some of these bugs.
Materials:
Slides
Tags:

Post a comment

Related work

Hack Different: Pwning iOS 14 with Generation Z Bugz

Conference:  BlackHat USA 2021
Authors:
2021-08-04

The Journey of Hunting In-the-Wild Windows LPE 0day

Conference:  Black Hat USA 2022
Authors:
2022-08-11

Battle of Windows Service: A Silver Bullet to Discover File Privilege Escalation Bugs Automatically

Conference:  BlackHat USA 2019
Authors:
2019-08-07

Put in One Bug and Pop Out More: An Effective Way of Bug Hunting in Chrome

Conference:  BlackHat USA 2021
Authors:
2021-08-04

ndays are also 0days: Can hackers launch 0day RCE attack on popular softwares only with chromium ndays?

Conference:  Defcon 31
Authors: Bohan Liu Senior Security Researcher, Tencent, GuanCheng Li Senior Security Researcher at Tencent Security Xuanwu Lab, Zheng Wang Senior Security Researcher at Tencent Security Xuanwu Lab
2023-08-01

Fasten your seatbelts: We are escaping iOS 11 sandbox!

Conference:  Defcon 26
Authors:
2018-08-01