Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM presented at CODEBLUE2020 2020

by Sai Cheng, Yongqing He, Zhimin Wang,

Summary : There may be some logic bugs in the COM and RPC servers built in Windows OS.In order to find these bugs automatically, the commonly used algorithm is to search for the call chain between functions and Win32 APIs that perform sensitive operations, but if you only rely on the xrefs of the disassembler to generate the call chain, you cannot handle calls across process boundaries. To solve this problem to a certain extent, we propose "Cross-Server Xrefs" in COM and RPC and introduce an automated algorithm to search for this scenario, the key to this algorithm is to use the Backtrace function of Metasm(the Ruby assembly manipulation suite). We will also introduce other attack surfaces in "Cross-Server Xrefs" and use our methods to find examples. Finally, we release an open source tool to help researchers explore the things described in this presentation.