CVE-2017-0213: Exploiting Microsoft Windows COM Aggregate Marshaler

CVE-2017-0213 is a relatively obscure vulnerability of the COM Type Confusion category. Ingeniously exploiting this vulnerability can lead to local escalation of privileges.

This vulnerability was discovered by the renowned Google Project Zero.

However, the original description of the vulnerability might seem a bit cryptic, so let’s delve deeper into it.

The Vulnerability in Detail

CVE-2017-0213 is a Type Confusion flaw located in the Windows COM.

The vulnerability arises when COM doesn’t correctly enforce the layout of a structure.

This can lead to a type confusion situation wherein an object can be mistaken for another type, leading to an unexpected execution flow.

This results in the possibility of a malicious user escalating their privileges and executing arbitrary code in kernel mode.

With escalated privileges, these actors can potentially execute arbitrary code at a kernel level, which is the heart of the operating system. Executing code at this level can lead to full system compromise, as it allows for complete control over the machine, bypassing any security measures in place.

The crux of this issue lies in the COM’s inability to enforce structure layout accurately, leading to the system misinterpreting an object as a different type. This confusion between types is what opens the door to potential exploits and attacks.

Introduction to DCOM

This vulnerability involves DCOM or Distributed Component Object Model, which may be unfamiliar compared to COM or Component Object Model of Windows. DCOM is similar to CORBA, meaning the COM being called can exist on a remote host.

In the COM model, all COM interfaces must inherit the IUnknown interface. However, in the DCOM model, the interfaces corresponding to IUnknown are IRemunkown and IRemUnkown2 – two remote interfaces.

The problem with CVE-2017-0213 arises in the code of IRemUnknown2::RemQueryInterface2. This is a method that requests a pointer to a specified interface on an object.

If the object does not support the interface, it should fail gracefully. But due to a flaw in the implementation of IRemUnknown2::RemQueryInterface2, a type confusion situation can arise where one object can be mistaken for another type.

This leads to an unexpected execution flow, providing a potential avenue for the escalation of privileges and execution of arbitrary code.

Vulnerability Analysis

The issue with CVE-2017-0213 lies within the IRemUnknown2::RemQueryInterface2 code. The function CStdMarshal::Finish_RemQIAndUnmarshal2 is called to complete the return object Unmarshal.

For each MInterfacePointer pointer, the function CStdMarshal::UnmarshalInterface unmarshals it from the data in IStream.

The problem arises here as the unmarshal proxy is based on the OBJREF (IID) in the IStream data, not the IID specified in IRemUnknown2::RemQueryInterface2.

This lack of consistency check between OBJREF’s IID and the IID specified in IRemUnknown2::RemQueryInterface2 can cause type confusion.

The system fails to differentiate between different types of objects properly, which can lead to the execution flow deviating from the expected path.

Type confusion can have serious implications, including potential privilege escalation and arbitrary code execution. In essence, a malicious user could exploit this vulnerability to gain elevated privileges and control over the system.

Vulnerability Exploitation

Type confusion vulnerabilities can usually be exploited through memory corruption. However, the discoverer of the vulnerability did not use memory corruption for exploitation. Instead, they used a method based on LoadTypeLibrary.

If a COM interface is registered with PSOAInterface or PSDispatch, oleaut32.dll will search for the registered Type Library information. If found, it will call LoadTypeLibrary to load the Type Library. By injecting a Moniker containing a scriptlet into a Type Library file, any file can be executed.

To escalate privileges, the BITS service that runs at the SYSTEM Integrity Level is targeted. By calling IBackgroundCopyJob::SetNotifyInterface and passing in a carefully crafted COM interface, type confusion can be triggered, which then loads a Type Library.

Exploiting this flaw could allow an attacker to execute arbitrary code with elevated privileges.

The exploitation can be done without memory corruption, by using a method based on LoadTypeLibrary and injecting a scriptlet into a Type Library file to execute arbitrary files.

Proof-of-Concept (PoC) Usage

To exploit this vulnerability, an attacker would typically use a specially crafted executable file.

For instance, the file CVE-2017-0213_x64.exe has been known to be used in some cases. It can be downloaded from GitHub.

It’s important to note that this vulnerability on its own does not permit the execution of arbitrary code. However, when combined with one or more other vulnerabilities, such as a remote code execution vulnerability, it can be used to gain elevated privileges.

Upon successful execution, the attacker can check the privileges using the command whoami /priv. This will list the user’s current set of privileges, which would now include elevated ones if the exploit was successful.

Mitigation

Microsoft has addressed this vulnerability by amending how Windows COM Marshaler handles interface requests.

Users are encouraged to apply all available updates and patches to their systems to ensure they are protected against such vulnerabilities.

Conclusion

CVE-2017-0213 is a relatively obscure vulnerability, challenging to identify through fuzzing methods. Discovering such vulnerabilities generally requires deep familiarity with Windows code.

The approach to exploit the vulnerability is also ingenious.

From the discovery to the exploitation of this vulnerability, the discoverer’s expertise in the Windows operating system is evident.