Cyber Security News

Windows COM Object Vulnerability Enables Remote Code Execution for System Takeover

A critical bug class termed “trapped object” has been identified by Google’s Project Zero team.

This vulnerability primarily arises from improper use of object-oriented remoting technologies like DCOM and .NET Remoting, which facilitate cross-process and cross-security boundary services.

These systems, though designed for flexibility, inadvertently expose certain unsafe objects, leading to potential remote code execution (RCE) or privilege escalation.

Unsafe Object Remoting

The vulnerability lies in remoting unsafe objects across boundaries.

For example, developers might marshal XML Document objects by reference during runtime, unaware that this exposes scripting capabilities like XSLT execution in the server’s context.

A historical instance of this issue was CVE-2019-0555, where developers unintentionally shared an XML DOM object with outdated interfaces, allowing attackers to breach sandboxes.

Another scenario involves asynchronous marshaling, where objects like .NET’s FileInfo can be marshaled both by value and reference.

Attackers exploit this duality to trap objects in server processes, gain elevated access, and invoke privileged methods such as file creation on servers.

Furthermore, attackers can abuse APIs, like CoCreateInstance to instantiate arbitrary classes and execute malicious code.

A notable example was CVE-2017-0211, which exploited COM Structured Storage objects to gain elevated privileges.

Role of IDispatch Interface in Escalating the Threat

The IDispatch interface, a key feature of OLE Automation designed for late binding in COM, facilitates this vulnerability.

Exploits occur when objects like ITypeInfo are remoted.

Despite type libraries being designed for remote invocation, certain methods such as CreateInstance inadvertently instantiate COM objects in the server’s process context.

Attackers can enumerate unsafe classes within type libraries to target objects that are otherwise intended for local access.

For example, a type library for the WaaSRemediationAgent class was identified as exposing out-of-process objects like WaaSRemediationLib, which attackers could potentially exploit to craft escalated permissions.

According to Google, this issue also extends to injection into Windows Protected Processes (PPL).

The Project Zero researcher demonstrated exploiting remoted type libraries to inject malicious code into processes like LSASS under PPL-Windows protection levels.

By redirecting registrations of safe classes (e.g., StdFont) to vulnerable classes and using .NET-based reflection, attackers could bypass process protections to execute arbitrary code.

However, newer Windows 11 protections, such as enhanced signing checks via cached signatures (NtSetCachedSigningLevel), mitigate these attacks by blocking type libraries lacking proper signing levels.

While Microsoft has introduced some mitigations, such as stricter validation of type libraries in protected processes, this bug class remains a systemic issue in remoting technologies.

Developers must ensure that:

  1. Only safe objects are remoted across boundaries.
  2. Proper validation mechanisms are in place to block unsafe object marshaling.
  3. Unnecessary APIs like CoCreateInstance are restricted in high-privilege environments.

Although this research didn’t directly escalate privileges in its demonstration, Project Zero emphasizes the importance of these findings in preemptively mitigating potential exploitation vectors.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Hackers Exploit Host Header Injection to Breach Web Applications

Cybersecurity researchers have reported a significant rise in web breaches triggered by a lesser-known technique:…

3 hours ago

Hackers Exploit Windows Remote Management to Evade Detection in AD Networks

A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows Remote…

3 hours ago

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed critical…

3 hours ago

Apache ActiveMQ Vulnerability Allows Attackers to Induce DoS Condition

Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing malicious…

3 hours ago

Kaspersky Alerts on AI-Driven Slopsquatting as Emerging Supply Chain Threat

Cybersecurity researchers at Kaspersky have identified a new supply chain vulnerability emerging from the widespread…

3 hours ago

UK Government to Shift Away from Passwords in New Security Move

UK government has unveiled plans to implement passkey technology across its digital services later this…

4 hours ago