Abusing Insecure WCF Endpoints

Slide 1

Slide 1 text

Slide 2

Slide 2 text

# whoami • Fabius Watson (@FabiusArtrel) • Security Research Manager @VerSprite • Interested in reverse engineering, vulnerability research, exploit development, and post-exploitation tactics. • Former SOC Analyst • Super 1337 #certified h4x0r OSCP, OSCE, GXPN

Slide 3

Slide 3 text

Agenda • High-level overview of WCF architecture • Exploring WCF target enumeration • WCF endpoint analysis workflow • Abuse cases for insecure WCF endpoints • DEMOS! This Photo by Unknown Author is licensed under CC BY-SA

Slide 4

Slide 4 text

Motivation • During an audit of Windows VPN software, VerSprite learned that several VPN solutions included .NET services. • We noticed a trend among these services of dangerous method exposure through insecure WCF endpoints. • Most of these services were started automatically as “LocalSystem”, which is the highest user privilege level available • Therefore, we investigated the possible abuse of insecure WCF endpoints through the use of privileged service methods.

Slide 5

Slide 5 text

What is WCF? • Windows Communication Foundation (WCF) is a framework created by Microsoft for building service-oriented applications. • Previously codenamed “Indigo” (2000 – 2005) • A set of .NET Framework APIs that simplify inter-process communication for developers • Supports TCP, HTTP, HTTPS, named pipes, PNRP, MSMQ, and Custom Protocols • WCF clients connect to WCF services via Endpoints • WCF services perform operations on behalf of WCF clients

Slide 6

Slide 6 text

The of WCF

Slide 7

Slide 7 text

The ABC of WCF •Address •Binding •Contract

Slide 8

Slide 8 text

The ABC of WCF •Address - An endpoint address is a unique URI used to represent the address of a WCF service. • Example: http://www.fabrikam.com:322/mathservice.svc/secureEndpoint • Scheme: http: • Machine: www.fabrikam.com • Port: 322 • Path: /mathservice.svc/secureEndpoint https://docs.microsoft.com/en-us/dotnet/framework/wcf/specifying-an-endpoint-address

Slide 9

Slide 9 text

The ABC of WCF •Binding – Endpoint bindings define the accepted transport protocol and encoding scheme, and may be used to configure transport security. • System-provided Bindings: ,,,,,,,,,,,,,,, https://docs.microsoft.com/en-us/dotnet/framework/wcf/system-provided-bindings

Slide 10

Slide 10 text

The ABC of WCF •Contract – Service and Operation Contracts define the services and methods exposed by an endpoint. • Service Contracts are identifiable by the ServiceContractAttribute attribute, and Operation Contracts by the OperationContractAttribute attribute. Example: [ServiceContractAttribute] public interface IMyContract { [OperationContractAttribute] public void PopulateData(ref CustomDataType data); } https://docs.microsoft.com/en-us/dotnet/framework/wcf/designing-service-contracts

Slide 11

Slide 11 text

WCF Target Enumerati n

Slide 12

Slide 12 text

Local WCF Target Enumeration ➢ Identifying .NET services that start as “LocalSystem” • The Service Control utility, “Sc.exe”, may be used to query service information and configuration details This may reveal services that start as “LocalSystem”, but there is a better way!

Slide 13

Slide 13 text

Local WCF Target Enumeration ➢ Identifying .NET services that start as “LocalSystem” • The WMI command-line (WMIC) utility may be used to query for all running services that start as “LocalSystem” • We may filter out “svchost.exe”, as it is not used by .NET services This approach still fails to confirm that results are .NET assemblies ☹

Slide 14

Slide 14 text

Local WCF Target Enumeration ➢ Identifying .NET services that start as “LocalSystem” • The Microsoft Common Object Runtime Execution Engine, “mscoree.dll”, is a key dependency for .NET applications • We can search the string “mscoree.dll” in service binaries using “wmic”, “findstr”, and a FOR loop. This quick and dirty approach is still prone to false positives ☹

Slide 15

Slide 15 text

Local WCF Target Enumeration ➢ Identifying .NET services that start as “LocalSystem” • We wrote a Python script uses “pefile” to check the import table of each service binary for “mscoree.dll”. This approach successfully identifies .NET services that start as “LocalSystem” https://github.com/VerSprite/research/blob/master/projects/wcf/dotNetServiceHunter.py

Slide 16

Slide 16 text

Local WCF Target Enumeration ➢ Identifying .NET services that start as “LocalSystem” • The Sysinternals tool “Process Explorer” may be used to visually identify privileged .NET applications. • The “Configure Color” option may be used to identify .NET processes. This is useful for finding potential targets at a glance. • The yellow background indicates that this is a .NET process. • SYSTEM .NET processes are usually Windows services.

Slide 17

Slide 17 text

Searching Online for WCF Targets • Search for applications similar to those known to use WCF • Search for “.NET service” or “.NET agent” and analyze results • Search for applications associated with WCF error messages There was no endpoint listening at {0} that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.

Slide 18

Slide 18 text

Analyzing “VulnWCFService”

Slide 19

Slide 19 text

VulnWCFService • VulnWCFService is a very simple WCF service that we wrote to demonstrate the analysis and exploitation of an insecure endpoint. • It’s implementation is modeled after several WCF services that we’ve come across in our research. • https://github.com/VerSprite/research/tree/ master/projects/wcf/VulnWCFService

Slide 20

Slide 20 text

.NET Decompilation • We begin by decompiling VulnWCFService with “dnSpy”. • dnSpy is an open-source debugger and .NET assembly editor that leverages the “ILSpy” decompiler engine.

Slide 21

Slide 21 text

System.ServiceModel • References refers to the application’s dependencies. • The “System.ServiceModel” reference is required to build WCF applications. ➢ If a .NET service or one of it’s references does not include System.ServiceModel, it does not use WCF.

Slide 22

Slide 22 text

VulnWCFService Components • This node refers to the “VulnWCFService” namespace. • This node references an interface named “IVulnService” • This node references a class named “VulnService”. This class implements IVulnService. • This node references a class named “VulnWCFService”. This contains the “Main” method.

Slide 23

Slide 23 text

The Service Contract – IVulnService The Service Contract attribute exposes the IVulnService interface as a service contract. The Operation Contract attribute exposes “RunMe” as a contract method.

Slide 24

Slide 24 text

Contract Implementation – VulnService • VulnService implements the IVulnService service contract. • The “RunMe” method appends a client-supplied string to a command line argument for “CMD.exe”

Slide 25

Slide 25 text

VulnWCFService - Main class The “System.ServiceProcess” namespace is used to implement a Windows service. The service name is defined as “VulnWCFService”. When a Windows service is started, the OnStart method is called.

Slide 26

Slide 26 text

VulnWCFService - Main class • baseAddress defines the service’s endpoint address. • Scheme: “net.pipe” • Machine Name: localhost • Port: N/A • Path: “/vulnservice/runme” • A ServiceHost is created using our Contract and Address. • binding is defined as a NetNamedPipeBinding.

Slide 27

Slide 27 text

VulnWCFService - Main class • The AddServiceEndpoint method is used to prepare the WCF endpoint for deployment. • The endpoint Address, endpoint Binding, and Service Contract are consumed to deploy the endpoint. • Identify calls to this method when analyzing WCF services!

Slide 28

Slide 28 text

Building a WCF Client

Slide 29

Slide 29 text

Leveraging Proxy Libraries • WCF clients often reference one or more Proxy Libraries that includes Service Contract definitions and all required types. • It may be possible to reference this shared assembly in order to easily communicate with the associated WCF service. • This may greatly reduce the amount of time required to build a client application!

Slide 30

Slide 30 text

ServiceModel Metadata Utility Tool • Code for a WCF proxy may be created automatically using the ServiceModel Metadata Utility Tool (Svcutil.exe) • Metadata is consumed to generate code for a WCF proxy. • Services do not publish metadata by default, however “svcutil.exe” may generate metadata from service binaries

Slide 31

Slide 31 text

Building “EvilWCFClient” • It remains possible to build a WCF client without a proxy library or metadata. • We may use the information disclosed through static code analysis to communicate to “VulnWCFService”. • Very little C# knowledge is required to develop a simple WCF client. (Thanks Microsoft!)

Slide 32

Slide 32 text

“EvilWCFClient” - Requirements • As with WCF services, our client must reference “System.ServiceModel” • If no proxy library is available for us to reference, then we must define our Service Contract within the client code.

Slide 33

Slide 33 text

“EvilWCFClient” – WCF Channels • Channels are used to send and receive Message objects through the WCF channel stack, which is like a pipeline for WCF messages. • A Channel Factory is built using the endpoint Address, endpoint Binding, and Service Contract of the target service. • A ServiceChannelProxy is created by calling CreateChannel. This may be used to call the remote operations defined within the service contract.

Slide 34

Slide 34 text

“EvilWCFClient” – Abusing “RunMe” • Using our ServiceChannelProxy named “client”, we may call the service’s “RunMe” method. We use this to execute “calc.exe”. • Using Process Explorer, we can see that “calc.exe” is spawned as “NT Authority\SYSTEM”. That’s it! Now lets look at real software

Slide 35

Slide 35 text

Real W rld Vulnerabilities

Slide 36

Slide 36 text

CVE-2018-10169 (ProtonVPN) • ProtonVPN 1.3.3 for Windows suffers from a SYSTEM privilege escalation vulnerability through the “ProtonVPN Service” service. • This service establishes an NetNamedPipe endpoint that allows clients to connect and call publicly exposed methods. • The Connect method accepts a class instance argument that provides attacker control of the OpenVPN command line. • An attacker can specify a DLL plugin that should run for every new VPN connection attempt. This plugin will execute code in the context of the SYSTEM user. CVSS Score: 9.8

Slide 37

Slide 37 text

CVE-2018-10169 – Discovery • ProtonVPN offers a “Free limited” subscription to their VPN service. • After installing ProtonVPN, we were able to identify the service binary using “sc.exe”.

Slide 38

Slide 38 text

CVE-2018-10169 - Analysis • We begin our analysis by decompiling the service binary. • The “ServiceProxy” reference is likely to be a proxy library. • The “System.ServiceModel” reference suggests the use of WCF.

Slide 39

Slide 39 text

CVE-2018-10169 - Analysis • Using dnSpy’s Analyzer, we can find each use of System.ServiceModel.ServiceHost.AddServiceEndpoint. • The ProtonVPN.Service.ServiceHosts namespace of “ProtonVPNService.exe” uses this method in two classes.

Slide 40

Slide 40 text

CVE-2018-10169 - Analysis • VpnConnectionManagerProxyHostFactory.Create() calls AddServiceEndpoint with the following configuration: • Address: net.pipe://localhost/protonvpn-service/ConnectionManager • Binding: NetNamedPipeBinding • Contract: “IVpnConnectionManagerProxy”

Slide 41

Slide 41 text

CVE-2018-10169 - Analysis • IVpnConnectionManagerProxy is defined in the ServiceProxy reference. • A DuplexChannel is required, as this Service Contract includes a Callback Contract. • A ServiceConnectionProxy argument is required by the Connect method.

Slide 42

Slide 42 text

CVE-2018-10169 - Analysis • The ServerConnectionProxy class is used by ProtonVPN to store VPN server configuration details. • We control the values of the class instance we choose to pass to the service, including the OvpnConfigPath parameter. • OpenVPN’s “plugin” option may be abused to load arbitrary DLLs.

Slide 43

Slide 43 text

CVE-2018-10169 - Exploitation • To begin writing our exploit client, we add references to the service’s proxy library.

Slide 44

Slide 44 text

CVE-2018-10169 - Exploitation • Next, we create a DuplexChannelFactory using the service’s endpoint Address, endpoint Binding, and Service Contract. • We use a dummy implementation of VpnEventsCallback autogenerated by Visual Studio. • Finally, we call CreateChannel to return a ServiceChannelProxy.

Slide 45

Slide 45 text

CVE-2018-10169 - Exploitation • I wrote a DLL payload named “OpenVPN_PoC.dll” that includes code in DLLMain to start a bind shell listener on port 4444. • After adding the “plugin” option to our config file, we set it’s path as the OvpnConfigPath of our ServerConnectionProxy.

Slide 46

Slide 46 text

CVE-2018-10169 - Exploitation • Finally, we call method “Connect” using our ServerConnectionProxy to trigger the vulnerability • We use the .NET TcpClient Class to connect to the listener.

Slide 47

Slide 47 text

DEMO - CVE-2018-10169 (ProtonVPN)

Slide 48

Slide 48 text

Birds of a feather… •CVE-2018-10170 (NordVPN) •CVE-2018-10645 (VyprVPN) •CVE-2018-10381 (TunnelBear) •CVE-2018-10646 (CG6) • CVSS: 9.8 • CVSS: 7.8 • CVSS: 9.8 • CVSS: 7.8

Slide 49

Slide 49 text

CVE-2018-13101 (KioskSimple) • KioskSimpleService.exe in RedSwimmer KioskSimple 1.4.7.0 suffers from a privilege escalation vulnerability in the WCF endpoint. • The exposed methods allow read and write access to the Windows registry and control of services. • These methods may be abused to achieve privilege escalation via execution of attacker controlled binaries. CVSS Score: 9.8

Slide 50

Slide 50 text

KioskSimple - Analysis • Decompiling the service binary with dnSpy, revealed the code to be obfuscated. • Metadata revealed the hint: “Powered by SmartAssembly 6.11.1.354"

Slide 51

Slide 51 text

KioskSimple - Analysis • Searching for “SmartAssembly deobfuscator” quickly revealed the tool de4dot, which was quick and easy to use.

Slide 52

Slide 52 text

KioskSimple - Analysis • Following deobfuscation, we load the “cleaned” binary into dnSpy. • dnSpy’s Analyzer reveals that the AddServiceEndpoint method is used in namespace 0, class 0, method 0 of “KioskSimpleService”.

Slide 53

Slide 53 text

KioskSimple - Analysis • Reviewing this call quickly reveals the service’s endpoint Address, endpoint Binding, and Service Contract. • Address: net.pipe://localhost/KioskSimple/PipeRegistry • Binding: NetNamedPipeBinding • Contract: “IRegistryService”

Slide 54

Slide 54 text

KioskSimple - Analysis • There are several interesting methods exposed by RegistryService: • ChangeLocalMachingRegistryValue • StartService • StopService • These methods may be abused to elevate privileges on the local machine.

Slide 55

Slide 55 text

KioskSimple - Exploitation • Attack Plan: • Populate our target service’s “ImagePath” key with a target application using ChangeLocalMachineRegistryValue • Call StopService to stop our target service if it is already running • Call StartService to start our target service, executing our application as SYSTEM. • Parameters must be TripleDES encrypted and base64 encoded ☹ • Thankfully, the key is hardcoded into the application

Slide 56

Slide 56 text

KioskSimple - Exploitation • After referencing KioskSimple’s cryptographic library, we may use the “Encryptor” class to encrypt each of our argument values.

Slide 57

Slide 57 text

DEMO - CVE-2018-13101 (KioskSimple)

Slide 58

Slide 58 text

WCF RCE 0-day • Using the techniques discussed throughout this presentation, we discovered a WCF RCE 0-day in a popular commercial bandwidth performance and fault management application. • This service exposes an insecure remote endpoint using the NetTcpBinding. • I managed to find this 0-day while preparing for Ekoparty • Follow @VerSprite on twitter for release details

Slide 59

Slide 59 text

WCF RCE 0-day - Analysis • One of the service’s many WCF endpoints exposes a method named “InvokeActionMethod”. • One of the Action Methods defined is named… “ExecuteExternalProgram”

Slide 60

Slide 60 text

WCF RCE 0-day - Analysis • The service requires password authenticated transport … • However, the password is simply a hash of the username

Slide 61

Slide 61 text

WCF RCE 0-day - Exploitation • This vulnerability is essentially a remote variant of the “RunMe” method in “VulnWCFService”. • I decided to exploit this method with a powershell reverse shell.

Slide 62

Slide 62 text

DEMO – WCF RCE 0-day

Slide 63

Slide 63 text

Mitigations? • Avoid exposing potentially dangerous operations • Securely program any operations exposed • Require proper endpoint authentication • Run as LocalService instead of LocalSystem

Slide 64

Slide 64 text

Conclusion • WCF Endpoint Abuse is a very ripe vulnerability class. • It’s easy to analyze; managed code is simple to decompile. • It is easy to exploit; there’s no memory corruption involved. • Hunt for WCF Endpoint Abuse Vulns!

Slide 65

Slide 65 text

No content