Presented at
DEF CON 30 (2022),
Aug. 13, 2022, 1 p.m.
(45 minutes).
MS-RPC is Microsoft's implementation of the Remote Procedure Calls protocol. Even though the protocol is extremely widespread, and serves as the basis for nearly all Windows services on both managed and unmanaged networks, little has been published about MS-RPC, its attack surface and design flaws.
In this talk, we will walkthrough and demonstrate a 0-day RCE vulnerability which we discovered through our research of MS-RPC. When exploited, this vulnerability allows an attacker to execute code remotely and potentially take over the Domain Controller. We believe this vulnerability may belong to a somewhat novel bug-class which is unique to RPC server implementations, and would like to share this idea as a possible research direction with the audience.
To aid future research into the topic of MS-RPC, we will share a deep, technical overview of the RPC system in Windows, explain why we decided to target it, and point out several design flaws. We will also outline the methodology we developed around RPC as a research target along with some tools we built to facilitate the bug-hunting process.
Presenters:
-
Ben Barnea
- Senior Security Researcher, Akamai
Ben Barnea is a security researcher at Akamai with interest and experience conducting low-level security research and vulnerability research across various architectures - Windows, Linux, IoT and mobile. He likes learning how complex mechanisms work and most importantly, how they fail.
-
Ophir Harpaz
- Senior Security Research Team Lead, Akamai
Ophir Harpaz is a security research team lead in Akamai, where she manages research projects around OS internals, exploitation and malware analysis. Ophir has spoken in various security conferences including Black Hat USA, Botconf, SEC-T, HackFest and more. As an active member in Baot - a community for women engineers - she has taught a reverse-engineering workshop (https://begin.re) to share her enthusiasm for reversing. Ophir has entered Forbes' list of 30-under-30 and won the Rising Star category of SC Magazine's Reboot awards for her achievements and contribution to the Cyber security industry.
Links:
Similar Presentations: