Tyranid's Lair: Stupid is as Stupid Does When It Comes to .NET Remoting
Finding vulnerabilities in .NET is something I quite enjoy, it generally meets my criteria of only looking for logic bugs. Probably the firs...| www.tiraniddo.dev
Finding vulnerabilities in .NET is something I quite enjoy, it generally meets my criteria of only looking for logic bugs. Probably the firs...| www.tiraniddo.dev
This week @decoder_it and @splinter_codedisclosed a new way of abusing DCOM/RPC NTLM relay attacks to access remote servers. This relied on the fact that if you're in logged in as a user on session 0 (such as through PowerShell remoting) and you call CoGetInstanceFromIStorage the DCOM activator would create the object on the lowest interactive session rather than the session 0. Once an object is created the initial unmarshal of the IStorage object would happen in the context of the user authe...| Tyranid's Lair
As part of updating NtApiDotNet to v1.1.28 I added support for Kerberos authentication tokens. To support this I needed to write the parsing code for Tickets. The majority of the Kerberos protocol uses ASN.1 encoding, however some Microsoft specific parts such as the Privileged Attribute Certificate (PAC) uses Network Data Representation (NDR). This is due to these parts of the protocol being derived from the older NetLogon protocol which uses MSRPC, which in turn uses NDR.| Tyranid's Lair
Continuing a theme from the last blog post, I think it's great that the two additional OBJECT_ATTRIBUTE flags were documented as a way of mitigating symbolic link attacks. While OBJ_IGNORE_IMPERSONATED_DEVICEMAP is pretty useful, the other flag, OBJ_DONT_REPARSE isn't, at least not for protecting file system access.| Tyranid's Lair
A tweet by @jonasLyk reminded me of a bug I found in NTFS a few months back, which I've verified still exists in Windows 10 2004. As far as I can tell it's not directly usable to circumvent security but it feels like a bug which could be used in a chain. NTFS is a good demonstration of how complex writing a FS driver is on Windows, so it's hardly surprising that so many weird edges cases pop up over time.| Tyranid's Lair
It's been a long time since I wrote a blog post about my old .NET vulnerabilities. I was playing around with some .NET code and found an issue when serializing delegates inside a CAS sandbox, I got a SerializationException thrown with the following text:| Tyranid's Lair
Extract from “Rainbow Dash and the Open Plan Office”. This is an extract from my upcoming 29 chapter My Little Pony fanfic . Clearly I do no...| www.tiraniddo.dev
There's been plenty of recent discussion about Windows 11's Recall feature and how much of it is a garbage fire. Especially a discussion aro...| www.tiraniddo.dev
Recently, there's been some good research into further exploiting DCOM authentication that I initially reported to Microsoft almost 10 years ago. By inducing authentication through DCOM it can be relayed to a network service, such as Active Directory Certificate Services (ADCS) to elevated privileges and in some cases get domain administrator access.| Tyranid's Lair
This is a short blog post about an issue I encountered during some development work on my OleViewDotNet tool and how I resolved it. It might help others if they come across a similar problem, although I'm not sure if I took the best approach.| Tyranid's Lair
Like many Windows related technologies Active Directory uses a security descriptor and the access check process to determine what access a user has to parts of the directory. Each object in the directory contains an nTSecurityDescriptor attribute which stores the binary representation of the security descriptor. When a user accesses the object through LDAP the remote user's token is used with the security descriptor to determine if they have the rights to perform the operation they're request...| Tyranid's Lair
When doing security research I regularly use my NtObjectManager PowerShell module to discover and call RPC servers on Windows. Typically I'll use the Get-RpcServer command, passing the name of a DLL or EXE file to extract the embedded RPC servers. I can then use the returned server objects to create a client to access the server and call its methods. A good blog post about how some of this works was written recently by blueclearjar.| Tyranid's Lair
* Caveats apply.| Tyranid's Lair
While it's not something I spend much time on, finding a new way to bypass UAC is always amusing. When reading through some of the features of the Rubeus tool I realised that there was a possible way of abusing Kerberos to bypass UAC, well on domain joined systems at least. It's unclear if this has been documented before, this post seems to discuss something similar but relies on doing the UAC bypass from another system, but what I'm going to describe works locally. Even if it has been descri...| Tyranid's Lair
I was recently asked about this topic and so I thought it'd make sense to put it into a public blog post so that everyone can benefit. Windows 11 (and Windows Server 2022) has a new feature for tokens which allow the kernel to perform the normal LowBox access check, but if it fails log the error rather than failing with access denied. | Tyranid's Lair
I did promise that I'd put out a blog post on how the Windows RPC filter works. Now that I released my more general blog post on the Windows firewall I thought I'd come back to a shorter post about the RPC filter itself. If you don't know the context, the Windows firewall has the ability to restrict access to RPC interfaces. This is interesting due to the renewed interest in all things RPC, especially the PetitPotam trick. For example you can block any access to the EFSRPC interfaces using th...| Tyranid's Lair
The PetitPotam technique is still fresh in people's minds. While it's not directly an exploit it's a useful step to get unauthenticated NTLM from a privileged account to forward to something like the AD CS Web Enrollment service to compromise a Windows domain. Interestingly after Microsoft initially shrugged about fixing any of this they went and released a fix, although it seems to be insufficient at the time of writing.| Tyranid's Lair
Based on my previous blog post I recently had a conversation with a friend and well-known Windows security researcher about token privilege...| www.tiraniddo.dev
I've been going through the various token privileges on Windows trying to find where they're used. One which looked interesting is SeTruste...| www.tiraniddo.dev
Following on from the previous blog post , if you can't map arbitrary SIDs to names to make displaying capabilities nicer what is the purpos...| www.tiraniddo.dev
I was digging into exactly how service SIDs are mapped back to a name when I came across the API LsaLookupManageSidNameMapping . Unsurprisi...| www.tiraniddo.dev
With the accelerated release schedule of Windows 10 it's common for new features to be regularly introduced. This is especially true of feat...| www.tiraniddo.dev
Sometimes you want to manually interact with a shell running a service account. Getting a working interactive shell for SYSTEM is pretty eas...| www.tiraniddo.dev
Background The Windows Insider Preview build 26052 just shipped with a sudo command, I thought I'd just take a quick peek to see what it doe...| www.tiraniddo.dev
Back in February 2018 Microsoft released on interesting blog post (link) which introduced per-directory case-sensitive NTFS support. MS have been working on making support for WSL more robust and interop between the Linux and Windows side of things started off a bit rocky. Of special concern was the different semantics between traditional Unix-like file systems and Windows NTFS.| www.tiraniddo.dev
Recently I was playing around with a service which was running under a full virtual service account rather than LOCAL SERVICE or NETWORK SE...| www.tiraniddo.dev
The Logon Session on Windows is tied to an single authenticated user with a single Token. However, for service accounts that's not really tr...| www.tiraniddo.dev
In the past few years there's been numerous exploits for service to system privilege escalation. Primarily they revolve around the fact that...| www.tiraniddo.dev
