RPC Bug Hunting Case Studies – Part 2

[+] Target: appidsvc.dll

       [*] Is RPC server file

       [*] Potential DLL with arbitrary DACL modification: appidsvc.dll

[+] Target: AppVEntSubsystemController.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: AppVEntSubsystemController.dll

[+] Target: AppXDeploymentServer.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: AppXDeploymentServer.dll

       [*] Potential DLL with arbitrary deletion: AppXDeploymentServer.dll

       [*] Potential executable with arbitrary file modification with move: AppXDeploymentServer.dll

       [*] Potential DLL with arbitrary DACL modification: AppXDeploymentServer.dll

[+] Target: bdesvc.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: bdesvc.dll

[+] Target: bisrv.dll

       [*] Is RPC server file

       [*] Potential DLL with arbitrary DACL modification: bisrv.dll

[+] Target: combase.dll

       [*] Is RPC server file

       [*] Potential DLL with arbitrary deletion: combase.dll

       [*] Potential executable arbitrary deletion: combase.dll

[+] Target: cryptcatsvc.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: cryptcatsvc.dll

       [*] Potential executable with arbitrary file modification with move: cryptcatsvc.dll

[+] Target: cryptsvc.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: cryptsvc.dll

[+] Target: dhcpcore.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: dhcpcore.dll

[+] Target: dhcpcore6.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: dhcpcore6.dll

[+] Target: DiagSvc.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: DiagSvc.dll

[+] Target: diagtrack.dll

       [*] Is RPC server file

       [*] Potential DLL with arbitrary deletion: diagtrack.dll

       [*] Potential executable arbitrary deletion: diagtrack.dll

       [*] Potential executable with arbitrary file modification with move: diagtrack.dll

       [*] Potential DLL with arbitrary DACL modification: diagtrack.dll

[+] Target: DmApiSetExtImplDesktop.dll

       [*] Is RPC server file

[+] Target: dot3svc.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: dot3svc.dll

[+] Target: dpapisrv.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: dpapisrv.dll

[+] Target: dssvc.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: dssvc.dll

       [*] Potential DLL with arbitrary deletion: dssvc.dll

       [*] Potential executable with arbitrary file modification with move: dssvc.dll

       [*] Potential DLL with arbitrary DACL modification: dssvc.dll

[+] Target: dusmsvc.dll

       [*] Is RPC server file

[+] Target: edgehtml.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: edgehtml.dll

       [*] Potential DLL with arbitrary deletion: edgehtml.dll

       [*] Potential executable with arbitrary file modification with move: edgehtml.dll

       [*] Potential DLL with arbitrary DACL modification: edgehtml.dll

[+] Target: eeprov.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: eeprov.dll

[+] Target: efslsaext.dll

       [*] Is RPC server file

       [*] Potential DLL with arbitrary deletion: efslsaext.dll

       [*] Potential executable arbitrary deletion: efslsaext.dll

[+] Target: FXSAPI.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: FXSAPI.dll

[+] Target: FXSSVC.exe

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: FXSSVC.exe

       [*] Potential DLL with arbitrary deletion: FXSSVC.exe

       [*] Potential executable with arbitrary file modification with move: FXSSVC.exe

[+] Target: iphlpsvc.dll

       [*] Is RPC server file

       [*] Potential DLL with arbitrary DACL modification: iphlpsvc.dll

[+] Target: LogonController.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: LogonController.dll

[+] Target: lsasrv.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: lsasrv.dll

       [*] Potential executable with arbitrary file modification with move: lsasrv.dll

[+] Target: mispace.dll

       [*] Is RPC server file

       [*] Potential DLL with arbitrary deletion: mispace.dll

       [*] Potential executable arbitrary deletion: mispace.dll

[+] Target: modernexecserver.dll

       [*] Is RPC server file

       [*] Potential DLL with arbitrary DACL modification: modernexecserver.dll

[+] Target: msdtcprx.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: msdtcprx.dll

       [*] Potential executable with arbitrary file modification with move: msdtcprx.dll

       [*] Potential DLL with arbitrary DACL modification: msdtcprx.dll

       [*] Potential executable with arbitrary file modification with move: msdtcprx.dll

[+] Target: netlogon.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: netlogon.dll

       [*] Potential executable with arbitrary file modification with move: netlogon.dll

[+] Target: p2psvc.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: p2psvc.dll

[+] Target: PackageStateRoaming.dll

       [*] Is RPC server file

[+] Target: pcasvc.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: pcasvc.dll

       [*] Potential executable with arbitrary file modification with move: pcasvc.dll

[+] Target: PeerDistSvc.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: PeerDistSvc.dll

       [*] Potential DLL with arbitrary deletion: PeerDistSvc.dll

       [*] Potential executable with arbitrary file modification with move: PeerDistSvc.dll

[+] Target: PhoneProviders.dll

       [*] Is RPC server file

[+] Target: pla.dll

       [*] Is RPC server file

       [*] Potential DLL with arbitrary DACL modification: pla.dll

       [*] Potential executable arbitrary deletion: pla.dll

       [*] Potential DLL with arbitrary deletion: pla.dll

[+] Target: pnrpsvc.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: pnrpsvc.dll

[+] Target: profsvc.dll

       [*] Is RPC server file

       [*] Potential DLL with arbitrary deletion: profsvc.dll

       [*] Potential executable arbitrary deletion: profsvc.dll

       [*] Potential DLL with arbitrary DACL modification: profsvc.dll

[+] Target: rasmans.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: rasmans.dll

       [*] Potential executable with arbitrary file modification with move: rasmans.dll

       [*] Potential DLL with arbitrary DACL modification: rasmans.dll

[+] Target: rdpclip.exe

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: rdpclip.exe

[+] Target: scesrv.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: scesrv.dll

       [*] Potential DLL with arbitrary DACL modification: scesrv.dll

[+] Target: schedsvc.dll

       [*] Is RPC server file

       [*] Potential DLL with arbitrary deletion: schedsvc.dll

       [*] Potential executable arbitrary deletion: schedsvc.dll

       [*] Potential DLL with arbitrary DACL modification: schedsvc.dll

[+] Target: SessEnv.dll

       [*] Is RPC server file

       [*] Potential executable with arbitrary file modification with move: SessEnv.dll

       [*] Potential executable arbitrary deletion: SessEnv.dll

       [*] Potential DLL with arbitrary deletion: SessEnv.dll

[+] Target: Spectrum.exe

       [*] Is RPC server file

       [*] Potential DLL with arbitrary deletion: Spectrum.exe

[+] Target: spoolsv.exe

       [*] Is RPC server file

       [*] Potential executable with arbitrary file modification with move: spoolsv.exe

       [*] Potential executable arbitrary deletion: spoolsv.exe

[+] Target: sstpsvc.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: sstpsvc.dll

[+] Target: StorSvc.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: StorSvc.dll

       [*] Potential DLL with arbitrary deletion: StorSvc.dll

       [*] Potential DLL with arbitrary DACL modification: StorSvc.dll

[+] Target: sysmain.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: sysmain.dll

       [*] Potential executable with arbitrary file modification with move: sysmain.dll

       [*] Potential DLL with arbitrary DACL modification: sysmain.dll

[+] Target: SystemEventsBrokerServer.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: SystemEventsBrokerServer.dll

       [*] Potential executable with arbitrary file modification with move:

[+] Target: tapisrv.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: tapisrv.dll

[+] Target: taskcomp.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: taskcomp.dll

       [*] Potential DLL with arbitrary DACL modification: taskcomp.dll

[+] Target: tellib.dll

       [*] Is RPC server file

       [*] Potential DLL with arbitrary deletion: tellib.dll

       [*] Potential executable arbitrary deletion: tellib.dll

       [*] Potential executable with arbitrary file modification with move: tellib.dll

       [*] Potential DLL with arbitrary DACL modification: tellib.dll

[+] Target: termsrv.dll

       [*] Is RPC server file

       [*] Potential DLL with arbitrary DACL modification: termsrv.dll

[+] Target: trkwks.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: trkwks.dll

       [*] Potential executable with arbitrary file modification with move: trkwks.dll

[+] Target: tttracer.exe

       [*] Is RPC server file

       [*] Potential executable with arbitrary file modification with move: tttracer.exe

       [*] Potential DLL with arbitrary DACL modification: tttracer.exe

[+] Target: uireng.dll

       [*] Is RPC server file

       [*] Potential executable with arbitrary file modification with move: uireng.dll

       [*] Potential DLL with arbitrary deletion: uireng.dll

       [*] Potential executable arbitrary deletion: uireng.dll

[+] Target: usermgr.dll

       [*] Is RPC server file

       [*] Potential executable with arbitrary file modification with move: usermgr.dll

       [*] Potential DLL with arbitrary DACL modification: usermgr.dll

[+] Target: vaultsvc.dll

       [*] Is RPC server file

       [*] Potential DLL with arbitrary deletion: vaultsvc.dll

       [*] Potential executable arbitrary deletion: vaultsvc.dll

       [*] Potential executable with arbitrary file modification with move: vaultsvc.dll

[+] Target: vmrdvcore.dll

       [*] Is RPC server file

       [*] Potential DLL with arbitrary deletion: vmrdvcore.dll

       [*] Potential executable arbitrary deletion: vmrdvcore.dll

       [*] Potential executable with arbitrary file modification with move: vmrdvcore.dll

[+] Target: w32time.dll

       [*] Is RPC server file

       [*] Potential DLL with arbitrary DACL modification: w32time.dll

[+] Target: wevtsvc.dll

       [*] Is RPC server file

       [*] Potential executable with arbitrary file modification with move: wevtsvc.dll

       [*] Potential executable arbitrary deletion: wevtsvc.dll

       [*] Potential DLL with arbitrary DACL modification: wevtsvc.dll

[+] Target: wiaservc.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: wiaservc.dll

[+] Target: wifinetworkmanager.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: wifinetworkmanager.dll

       [*] Potential DLL with arbitrary deletion: wifinetworkmanager.dll

[+] Target: wimserv.exe

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: wimserv.exe

       [*] Potential DLL with arbitrary deletion: wimserv.exe

[+] Target: Windows.Internal.Bluetooth.dll

       [*] Is RPC server file

[+] Target: wininit.exe

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: wininit.exe

       [*] Potential executable with arbitrary file modification with move: wininit.exe

[+] Target: winlogon.exe

       [*] Is RPC server file

       [*] Potential executable with arbitrary file modification with move: winlogon.exe

[+] Target: wlansvc.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: wlansvc.dll

       [*] Potential executable with arbitrary file modification with move: wlansvc.dll

[+] Target: wwansvc.dll

       [*] Is RPC server file

       [*] Potential executable arbitrary deletion: wwansvc.dll

       [*] Potential executable with arbitrary file modification with move: wwansvc.dll

[+] Target: XblGameSave.dll

       [*] Is RPC server file

       [*] Potential DLL with arbitrary deletion: XblGameSave.dll

       [*] Potential executable arbitrary deletion: XblGameSave.dll

       [*] Potential executable with arbitrary file modification with move: XblGameSave.dll

C:>icacls E:WpSystemS-1-5-21-2264505789-2271452246-4192020221-1001AppDataLocalPackagesMicrosoft.MicrosoftMahjong_8wekyb3d8bbwe

E:WpSystemS-1-5-21-2264505789-2271452246-4192020221-1001AppDataLocalPackagesMicrosoft.MicrosoftMahjong_8wekyb3d8bbwe

NT AUTHORITYSYSTEM:(CR)(F)

NT AUTHORITYSYSTEM:(OI)(CI)(IO)(CR)(F)

DESKTOP-A7ABC1Oresearcher:(CR)(F)

DESKTOP-A7ABC1Oresearcher:(OI)(CI)(IO)(CR)(F)

BUILTINAdministrators:(CR)(F)

BUILTINAdministrators:(OI)(CI)(IO)(CR)(F)

NT AUTHORITYSYSTEM:(I)(OI)(CI)(F)

BUILTINAdministrators:(I)(OI)(CI)(F)

DESKTOP-A7ABC1Oresearcher:(I)(OI)(CI)(F)

C:>icacls E:WpSystemS-1-5-21-2264505789-2271452246-4192020221-1001AppDataLocalPackages

E:WpSystemS-1-5-21-2264505789-2271452246-4192020221-1001AppDataLocalPackages

NT AUTHORITYSYSTEM:(I)(OI)(CI)(F)

BUILTINAdministrators:(I)(OI)(CI)(F)

DESKTOP-A7ABC1Oresearcher:(I)(OI)(CI)(F)

C:>icacls E:WpSystemS-1-5-21-2264505789-2271452246-4192020221-1001AppDataLocal

E:WpSystemS-1-5-21-2264505789-2271452246-4192020221-1001AppDataLocal        

NT AUTHORITYSYSTEM:(I)(OI)(CI)(F)

BUILTINAdministrators:(I)(OI)(CI)(F)

DESKTOP-A7ABC1Oresearcher:(I)(OI)(CI)(F)

C:>icacls E:WpSystemS-1-5-21-2264505789-2271452246-4192020221-1001AppData            

E:WpSystemS-1-5-21-2264505789-2271452246-4192020221-1001AppData     

NT AUTHORITYSYSTEM:(I)(OI)(CI)(F)

BUILTINAdministrators:(I)(OI)(CI)(F)

DESKTOP-A7ABC1Oresearcher:(I)(OI)(CI)(F)

C:>icacls E:WpSystemS-1-5-21-2264505789-2271452246-4192020221-1001                                      

E:WpSystemS-1-5-21-2264505789-2271452246-4192020221-1001    

NT AUTHORITYSYSTEM:(OI)(CI)(F)

BUILTINAdministrators:(OI)(CI)(F)

DESKTOP-A7ABC1Oresearcher:(OI)(CI)(F)

// After created its parent directories, try to create E:WpSystemAppDataLocalPackages

        if ( CreateDirectoryW(*(LPCWSTR *)(this – 28), 0) )           // — (1)

          v16 = 0;

        else

          v16 = getlasterror();

        v15 = *(void **)(this + 4);

        if ( v16 < 0 )

        {

          v17 = 0x4C8;

          goto exit;

        }

      }

      v15 = *(void **)(this + 4);

      if ( v16 >= 0 )

      {

        if ( v13 == 1

          || sub_102335C9(v15)

            // Set security descriptor on e:WPSystem and its sub-directories to allow Administrator and System user access only

          || (v19 = wpsystem_setnamedsecurityinfo((int)v12, *(WCHAR **)(this – 16)),

              v15 = *(void **)(this + 4),

              v16 = v19,

              v19 >= 0) )

        {

          // Encrypt and compress the files in Appx.Package

          v20 = EncryptFile((int)v12, *(WCHAR **)(this – 16));     // — (2)

          v15 = *(void **)(this + 4);

          v16 = v20;

          if ( v20 >= 0 )

          {

            // Reset security descriptor on \?E:WpSystemAppDataLocalPackages to allow full access

           // however, neither no verification is done on the assigned object name therefore it can be replaced with file object instead of directory object and impersonation here

            v21 = SetNamedSecurityInfoW(*(LPWSTR *)(this – 28), SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, *(PACL *)(this – 20), 0);            // — (3)

Fortigate is an enterprise network security appliance that works with Cloud Bare Metal. Contact us to find out our latest offers!

Comments are closed.