Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you the CVE-2021-26411 research on how to use RPC to bypass CFG mitigation technology in the opposition sample. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

The general idea of exploiting the vulnerability in the browser rendering process is that after obtaining the read and write permission of any address in the user mode, the browser rendering process hijacks the execution flow by tampering with the virtual table function pointer of DOM, js and other objects, calls VirtualProtect and other Win32 API through the ROP chain, modifies the memory attribute of the saved shellcode buffer to PAGE_EXECUTE_READWRITE, and finally jumps to shellcode execution by the ROP chain. After Windows 8.1, Microsoft introduced CFG (Control Flow Guard) mitigation technology [1] to verify function pointers called indirectly, thus alleviating the utilization technology of hijacking program execution flow by tampering with virtual table function pointers.

However, the confrontation will not stop, and then there are some new methods to bypass CFG mitigation technology, such as chakra/jscript9 hijacking program execution flow by tampering with functions on the stack [2], using WebAssembly objects with executable memory attributes in v8 to execute shellcode [3], and so on. In December 2020, Microsoft added CET mitigation technology [4] to Windows 10 20H1 based on Intel Tiger Lake CPU, which protected the use of address hijacking program execution flow by tampering with functions on the stack. Therefore, how to bypass CFG in an CET-protected environment has once again become a difficult problem for vulnerability exploitation.

In analyzing the samples of CVE-2021-26411 wild use [5], we found a new method of bypassing CFG using Windows RPC (Remote Procedure Call) [5]. This method does not rely on ROP chain, and arbitrary code execution can be achieved by constructing RPC_MESSAGE and calling rpcrt4 remote NdrServer Call2.

1. CVE-2021-26411 Review

The root cause of this vulnerability is described in the article "IE browser 0day:CVE-2021-26411 Analysis" [5]: removeAttributeNode () triggers the valueOf callback of the attribute object nodeValue, and clearAttributes () is manually called during the callback, resulting in the early release of the BSTR saved by nodeValue. After the callback returns, it does not check whether the nodeValue exists to continue using the object, resulting in UAF.

The fix for this vulnerability in the March Windows patch is to add an index check before deleting the object in the CAttrArray::Destroy function:

For such a controllable UAF vulnerability, the idea is to use two different types of pointers (BSTR and Dictionary.items) to point to the hollow memory, and to achieve pointer leakage and pointer dereferencing through type confusion:

2. The principle and utilization of RPC

Windows RPC is used to solve the problem of distributed client / server function calls. Based on RPC, the client can call server functions in the same way as local functions. The basic architecture of RPC is shown below:

The client / server program transmits the call parameters / return value to the lower-level Stub function, and the Stub function is responsible for encapsulating the data into NDR (Network Data Representation) format, and finally communicates through the runtime library provided by rpcrt4.dll.

Here is an example of idl:

When the client calls the add function, the server accepts the processing request by rpcrt4.dll and calls rpcrt4 requests NdrServerCall2:

Rpcrt4roomNdrServerCall2 has only one parameter PRPC_MESSAGE, which contains important data such as function index and parameter passing called by the client. The server RPC_MESSAGE structure and the main sub-data structure are shown below (32 bits):

As shown in the figure above, in the RPC_MESSAGE structure, the two key variables for function calls are Buffer and RpcInterfaceInformation. Buffer stores the parameters of the function, and RpcInterfaceInformation points to the RPC_SERVER_INTERFACE structure. The RPC_SERVER_INTERFACE structure stores the interface information of the server program, in which + 0x2c DispatchTable stores the interface function pointers of the runtime library and Stub functions, and + 0x3c InterpreterInfo points to the MIDL_SERVER_INFO structure. The MIDL_SERVER_INFO structure stores the server-side IDL interface information, where DispatchTable stores an array of function pointers of remote call routines provided by the server.

The following is an example of the structure of RPC_MESSAGE:

According to the idl given above, when the client calls add (0x111, 0x222), the server program breaks in rpcrt4 calling NdrServer Call2:

As you can see, the memory dump of dynamic debugging is consistent with the structural analysis of RPC_MESSAGE, in which the add function is stored in MIDL_SERVER_INFO. In DispatchTable.

Next, analyze how rpcrt4 calls the add function according to RPC_MESSAGE:

Rpcrt4 inside call rpcrt4 inside NdrStubCall2 according to MIDL_SERVER_INFO. The base address of DispatchTable and RPC_MESSAGE. ProcNum calculates the function pointer address of the call, and passes the function pointer, function arguments, and argument length to rpcrt4 _ invoke:

The server routine function is finally called inside rpcrt4calls invoke:

Through the above analysis, we can know that after obtaining the read and write permission of any address, we can construct a RPC_MESSAGE data structure, pass in the function pointer and function parameters that you want to call, and finally manually call rpcrt4 address NdrServerCall2 to achieve arbitrary function execution.

Next, two problems need to be solved:

1) how to call rpcrt4 through js script! NdrServerCall2

2) observe the server routine function call at the end of rpcrt4calls invoke:

You can see that this is an indirect call with a CFG check. Therefore, we need to consider replacing MIDL_SERVER_INFO. How to bypass the CFG protection here after the DispatchTable function pointer.

First of all, solve problem 1: how to call rpcrt4 through js script! NdrServerCall2

Here you can reuse the method of replacing the virtual table function pointer of the DOM object to hijack the execution flow of the program, because rpcrt4virtual NdrServerCall2 is a legal pointer recorded in CFGBitmap, so it can still pass the CFG check after replacement. In the sample, by tampering with MSHTMLdestroy CAttributeParticipize, the rpcrt4 invocation NdrServer Call2 is finally called by "xyz.normalize ()".

Then solve problem 2: how to bypass the CFG protection in rpcrt4roomNdrServerCall2

The idea in the sample is:

1) use fake RPC_MESSAGE and rpcrt4encrypted NdrServerCall2 to call VirtualProtect to modify the RPCRT4 memory attribute to PAGE_EXECUTE_READWRITE

2) replace the pointer ntdllchecked LdrpValidateUserCallTarget saved in rpcrt4 disabled guardship checkicallchecking fptr to ntdllchecked KiFastSystemCallRet, thus turning off the CFG check of rpcrt4

3) restore the memory property of RPCRT4 automatically assigned guardmemory checklists icallreserved fptr

After solving the problem 1 and 2, we can use the forged RPC_MESSAGE to call any function. Write shellcode to the location of msi.dll + 0x5000 in the sample, and finally call shellcode through rpcrt4destroy NdrServerCall2:

Finally, a complete demonstration of the use:

Some thoughts

The innovative method of using RPC to bypass CFG mitigation technology appeared in the field sample of CVE-2021-26411. This method does not need to construct a ROP chain, but can directly achieve arbitrary code execution by forging RPC_MESSAGE. It is simple and stable to use, and it is reasonable to believe that this method will become a new and effective utilization technology to bypass CFG mitigation measures.

The above is the CVE-2021-26411 study on how to use RPC to bypass CFG mitigation technology in the wild samples shared by Xiaobi. if you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.