Exploring Ancient Ruins to Find Modern Bugs: Discovering a 0-Day in an MS-RPC Service

Presented at DEF CON 30 (2022), Aug. 13, 2022, 1 p.m. (45 minutes)

MS-RPC is Microsoft's implementation of the Remote Procedure Calls protocol. Even though the protocol is extremely widespread, and serves as the basis for nearly all Windows services on both managed and unmanaged networks, little has been published about MS-RPC, its attack surface and design flaws.

In this talk, we will walkthrough and demonstrate a 0-day RCE vulnerability which we discovered through our research of MS-RPC. When exploited, this vulnerability allows an attacker to execute code remotely and potentially take over the Domain Controller. We believe this vulnerability may belong to a somewhat novel bug-class which is unique to RPC server implementations, and would like to share this idea as a possible research direction with the audience.

To aid future research into the topic of MS-RPC, we will share a deep, technical overview of the RPC system in Windows, explain why we decided to target it, and point out several design flaws. We will also outline the methodology we developed around RPC as a research target along with some tools we built to facilitate the bug-hunting process.

Presenters:

• Ophir Harpaz - Senior Security Research Team Lead, Akamai
  Ophir Harpaz is a security research team lead in Akamai, where she manages research projects around OS internals, exploitation and malware analysis. Ophir has spoken in various security conferences including Black Hat USA, Botconf, SEC-T, HackFest and more. As an active member in Baot - a community for women engineers - she has taught a reverse-engineering workshop (https://begin.re) to share her enthusiasm for reversing. Ophir has entered Forbes' list of 30-under-30 and won the Rising Star category of SC Magazine's Reboot awards for her achievements and contribution to the Cyber security industry.
• Ben Barnea - Senior Security Researcher, Akamai
  Ben Barnea is a security researcher at Akamai with interest and experience conducting low-level security research and vulnerability research across various architectures - Windows, Linux, IoT and mobile. He likes learning how complex mechanisms work and most importantly, how they fail.

Links:

• https://forum.defcon.org/node/241930
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Ben Barnea, Ophir Harpaz - Exploring Ancient Ruins to Find Modern Bugs - Discovering a 0-Day in an MS-RPC Service.mp4
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Ben Barnea, Ophir Harpaz - Exploring Ancient Ruins to Find Modern Bugs - Discovering a 0-Day in an MS-RPC Service.srt (subtitles)
• https://www.youtube.com/watch?v=lDvNKHGPsJg

Similar Presentations:

• BalCCon2k22 - Loading (2022) / I want my RPC
• Black Hat Europe 2021 / Burning Bridges - Stopping Lateral Movement via the RPC Firewall
• ToorCon: Seattle (Beta) (2007) / RPC Auditing Tools and Techniques