Abusing Insecure WCF Endpoints presented at ekopartySecurityConference 2018

by Fabius Artrel,

Summary : Windows Communication Foundation (WCF) is a framework for building service-oriented applications using the .NET Framework. A trend that I’ve noticed in .NET services is the exposure of very dangerous methods through insecure WCF endpoints. Additionally, most of these services are started automatically as “LocalSystem”, which is the highest user privilege level available. This results in a situation where a WCF endpoint may become a gateway for low-privilege users to abuse privileged service methods. In this talk, I’ll provide a high-level overview of WCF endpoints, then dive into practical analysis. I plan to share a handful of helpful tools and techniques for identifying vulnerable WCF services. Next, we’ll walk through what to look out for when analyzing decompiled .NET assemblies, including those that have been obfuscated. Finally, I’ll explain the exploitation of vulnerable WCF services and conclude with demonstrations of attacks against real software.