Abusing WCF Endpoint for RCE and Privilege Escalation

Presented at BSidesSF 2019, March 4, 2019, 11 a.m. (30 minutes).

In 2018 there were quite a few local privilege escalation and remote code execution CVEs related to abusing the functionality exposed by WCF services in .NET programs. These were found in products such as VPN clients, commercial network monitoring tools, and antivirus software. In some cases, these services accidentally exposed stronger capabilities than intended (for example, the ability to run arbitrary code). In other cases, sensitive features have been locked down, but the security mechanisms are faulty and can be bypassed. The aim of this presentation is to spread awareness of WCF as an attack surface and to demonstrate how to get started finding and exploiting these bugs. This will be accomplished by reviewing the vulnerability identification and exploit development process for a recent 0-day privilege escalation in Check Point's flagship antivirus product ZoneAlarm.

Presenters:

  • Christopher Anastasio - Illumant
    Chris Anastasio is a penetration tester at Illumant, bug bounty hunter, amateur exploit dev, and bad coder. He’s been working in Infosec professionally for 5 years and as a hobbyist for many more. He cofounded the Dark Corner (darkcorner.org), a monthly hacker meet up in Palo Alto CA. You can check out some of his other hacks at www.muffsec.com.

Links:

Similar Presentations: