Defeating magic by magic：Using ALPC security features to compromise RPC services

Presented at DEF CON 32 (2024), Aug. 9, 2024, 10:30 a.m. (45 minutes).

Advanced Local Procedure Call (ALPC) is an Inter Process Communication method in the Windows kernel. In the past few years, Windows ALPC and RPC vulnerabilities have emerged in an endless stream. These vulnerabilities are mainly based on TOCTOU file operations, memory corruption vulnerabilities in RPC services and ALPC syscalls in ntoskrnl. Windows kernel provides a variety of security measures to ensure that the data and context accepted by the ALPC and RPC servers are safe. We noticed the attack surface in the security mechanism of the ALPC kernel, and we found a security flaw in this mechanism (magic) and successfully obtained the system privilege from unauthorized users (defeating magic by magic). In this talk, we will first overview the communication mechanism of ALPC and RPC services. We will discuss the details of ALPC and RPC in the marshal/unmarshal process that has not been disclosed before. We'll also talk about the kernel security mechanism in ALPC syscalls. Then we will analyze some historical bugs in ALPC and RPC, and disclose the details of the vulnerability we found, discussing how we bypassed the security mechanism through a small security flaw in security mechanisms. Later we'll discuss the exploitation, you will learn about the multiple ways. Finally, We'll make conclusions and share our opinions on this attack surface, including some tips and opinions on how to find these kinds of bugs. 1. A view into ALPC-RPC by Clement Rouault and Thomas Imbert Hack.lu 2017 2. Exploiting Errors in Windows Error Reporting - Gal De Leon 3. Windows Internals, Part 2, 7th Edition

Presenters:

• WangJunJie Zhang - Senior Security Researcher at Hillstone Network Security Research Institute
  WangJunJie Zhang is a senior security researcher of Hillstone Network Security Research Institute. His work involved exploit development and bug hunting. He is currently focusing on windows components and kernel security and he has reported many vulnerabilities to Microsoft and RedHat and got acknowledgements. He was also listed on Microsoft Most Valuable Researcher from 2020 to 2023. He was also the speaker of CansecWest 2023 and HITBSecConf Amsterdam 2023 conference.
• YiSheng He
  YiSheng He is a member of OWASP, (ISC)², CSA and other organizations. He is the organizer of the DCG86020 event. He has obtained various international professional certifications such as CISSP, CCSK, CISA, and participated in many open source security projects. He obtained a large number of CVE numbers and received acknowledgements from Microsoft, Apple and other companies. He also participated in many CTF competitions and won good ranking. His research interests include AIoT and WEB security. He was also the speaker of CansecWest 2023 and HITBSecConf Amsterdam 2023 conference.

Similar Presentations:

• REcon 2008 / Windows privilege escalation through LPC & ALPC interfaces
• DEF CON 30 (2022) / Exploring Ancient Ruins to Find Modern Bugs: Discovering a 0-Day in an MS-RPC Service
• Black Hat Europe 2021 / Burning Bridges - Stopping Lateral Movement via the RPC Firewall