Abusing Insecure WCF Endpoints

Presented at ekoparty 14 (2018), Sept. 27, 2018, 4:50 p.m. (50 minutes)

Windows Communication Foundation (WCF) is a framework for building service-oriented applications using the .NET Framework. A trend that I've noticed in .NET services is the exposure of very dangerous methods through insecure WCF endpoints. Additionally, most of these services are started automatically as "LocalSystem", which is the highest user privilege level available. This results in a situation where a WCF endpoint may become a gateway for low-privilege users to abuse privileged service methods.

In this talk, I'll provide a high-level overview of WCF endpoints, then dive into practical analysis. I plan to share a handful of helpful tools and techniques for identifying vulnerable WCF services. Next, we'll walk through what to look out for when analyzing decompiled .NET assemblies, including those that have been obfuscated. Finally, I'll explain the exploitation of vulnerable WCF services and conclude with demonstrations of attacks against real software.


  • Fabius Artrel
    Fabius Artrel is a Security Researcher at VerSprite Security. He is ambitious about reverse engineering, vulnerability research, exploit development, and post-exploitation. Both his previous work as a Network Security Analyst and his Red Team knowledge provide him with a distinct perspective when examining technologies for real-world threats.