Recent Posts
Archives

AI BEA CTO Cybersecurity DefCon32 Devoxx DevoxxBE2023 DevoxxBE2024 DevoxxFR DevoxxGR2025 DevoxxGreece2025 DevoxxPL2022 DevoxxPoland DevoxxUK2024 DevoxxUS2017 Docker Eclipse EJB GWT Hibernate IntelliJ IDEA Java Jetty JMS Jonathan Lalou JSF Kotlin Kubernetes Maven Maven 2 Microservices Mule Mule ESB Oracle OxidizeConf2024 Python recommendation RustLang Security Spring SQL Tomcat tutorial Weblogic Weblogic 10

Posts Tagged ‘RonBenYizhak’

PostHeaderIcon [DefCon32] Manipulating Shim and Office for Code Injection

Author: Jonathan Lalou

The Windows ecosystem harbors hidden attack surfaces, and security researchers Ron Ben-Yizhak and David Shandalov from Deep Instinct unveil a sophisticated technique to exploit them. By manipulating the Application Compatibility Framework (shim) and OfficeClickToRun service, they achieve stealthy code injection and privilege escalation without traditional traces like registry modifications. Their reverse engineering of undocumented APIs and kernel drivers reveals novel methods to subvert system defenses, challenging assumptions about patched vulnerabilities.

Reviving the Shim Attack Surface

Ron introduces the Application Compatibility Framework, designed to ensure legacy software runs on modern Windows systems. The shim infrastructure, managed by a kernel driver, applies runtime fixes to processes. By exploiting undocumented APIs, Ron and David craft a malicious shim that injects code without disk-based evidence, evading detection by endpoint detection and response (EDR) systems. This approach, applied to 64-bit processes, bypasses traditional monitoring, as injection occurs before EDR hooks are established.

Exploiting OfficeClickToRun for Escalation

David details their attack surface research on OfficeClickToRun.exe, a service running as NT AUTHORITY\SYSTEM. By leveraging its undocumented RPC interfaces and Opportunistic Lock (OpLock) mechanisms, they inject a DLL into a high-privilege process, achieving escalation. This method requires specific conditions, which they meticulously engineered, demonstrating the power of combining disparate system components into a cohesive attack vector.

Methodology and Community Collaboration

The duo’s methodology hinges on deep reverse engineering, analyzing shim data structures and AVL tables to manipulate process behavior. They modernize a previously known technique, making it registry-free and elusive. Ron and David share their tools’ source code, inviting the community to refine these attacks and explore additional shim fixes. Their findings highlight the potential for OpLock and shim mechanisms to serve as building blocks for complex, multi-component attacks.

Defensive Measures and Future Research

To counter these threats, Ron and David urge developers to monitor early-stage process injections and scrutinize undocumented APIs. They encourage further exploration of shim data structures and AVL table manipulations, which could yield new attack vectors. By open-sourcing their tools, they foster collaborative advancements in offensive security, aiming to strengthen Windows defenses against such stealthy techniques.

Links:

Posted in en-US | Tags: , , , , , , , | No Comments »
(c) 2008 Jonathan Lalou's Blog
All Rights Reserved.

Powered by WordPress and WordPress Theme | Host-euro.