With this information, we can connect to the interface, by passing them to our client, and a **binding handle** will be created which is then used to communicate with the interface.
History of RPC vulnerabilities
RPC interfaces have been the source of many vulnerabilities in Windows over the years. Here are some well-known bugs that have been found somewhat recently:
– CVE-2022-26809: A heap buffer overflow in the rpcrt4.dll DLL leading to RCE
– PetitPotam: A coercion bug on the MS_EFSR interface
– PrintNightmare: A bug that gives attackers RCE by setting an arbitrary printer driver via RPC procedures.
CVE-2022-26809 is a critical remote code execution vulnerability in the Remote Procedure Call Runtime Library. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system.
PetitPotam is a vulnerability that allows attackers to take over Windows domains and servers by abusing the MS-EFSRPC protocol. This protocol is used by Windows for encrypting files on disk and can be abused by causing coercion bugs to capture machine account hashes which can then be used in NTLM relay attacks for movement across a network.
PrintNightmare is a vulnerability that allows attackers to execute code remotely with SYSTEM privileges by abusing the Windows Print Spooler service. This service is used for managing print jobs on Windows systems and can be abused by attackers to gain access to sensitive data and executing commands with high privileges.
There are multiple workflows and setups to start hunting for vulnerabilities in RPC interfaces. Throughout this section, one method will be explained which we considered to be the fastest, however, it was found that deviating and using different tools in different situations was sometimes a better option than sticking to a strict toolset.
In order to find vulnerabilities with a realistic impact, a realistic environment was necessary. In our case, we used a minimalistic Snaplabs template that included:
– Windows Domain Controller
– Kali host on the internal network
– Windows Server 2019
All hosts were fully up to date and in their default configuration. Additionally, a few domain users with different privileges were created. This specific Snaplabs template also incorporated simulated user activity which was convenient as it created processes as expected in a real network which expanded the attack surface giving us more to explore.
The next step was to setup the tooling. Several tools were used during the research.
First, RPCView was used to understand what interfaces were being used by what processes and what protocols these interfaces used to transfer data (LRPC, TCP/UDP, named pipes). For a reference on how to set RPCView up, refer to itm4n’s blog post in the references section. The most important part of the setup is to ensure that one loads the symbols for all the Windows DLLs. As a quick summary on how to setup RPCView:
1) Download RPCView
2) Download and Install the Windows 10 SDK
3) In PowerShell, run: