COMThanasia: analyzing common vulnerabilities in COM
COMThanasia
With this tool, you will be able to detect:
- Incorrect access control to a COM object (LaunchPermission , AccessPermission) – LPE through abusable COM methods, DCOM Authentication relaying. That’s
PermissionHunter. - Incorrect registry rights to a COM object – LPE through COM Hijacking. That’s
ComDiver. - Find new Elevation Moniker – UAC Bypass. That’s
MonikerHound. - Get detailed information about a specific CLSID – Inspect COM object to find abusable COM Methods. That’s
ClsidExplorer. - Check Cross-Session Activation on behalf of a low-privileged user – Attempting to instantiate an object in someone else’s session for LPE. That’s
ComTraveller.
If we had published this tool a couple months ago (e.g. Spring 2024), you would have discovered CVE-2024-38100 (FakePotato) and CVE-2024-38061 (SilverPotato).
Start using this tool and you can find more ways to elevate privilege on Windows systems. It’s like an automated OleViewDotnet 🙂
PermissionHunter
PermissionHunter is a tool that allows you to examine LaunchPermission and ActivatePermission on all COM objects on the system.
How to abuse
If you find a COM object that you can access on behalf of a low-privileged user, for example, you can abuse it as follows:
- Create an instance and call the methods of that COM object to, for example, write an arbitrary file on behalf of the system. For example, you have found a COM object with a
DeployCmdShell()method that runs on behalf of theNT AUTHORITY\SYSTEMaccount and you haveLaunchPermissionsandAccessPermissions. You can start this COM object, call theDeployCmdShell()method, and get code execution on behalf of the system. You can view the available methods usingClsidExplorer. - Abuse DCOM authentication. For this, see RemoteKrbRelay
ComDiver
All information about COM objects is in the registry. But what if the registration was incorrect? In such a case we have a possibility to override COM settings, for example, to hijack the executable file. This tool allows you to detect such vulnerabilities, and it scans the registry according to the priority of keys that are viewed when searching for COM objects. In this way, you can even find Shadow COM Hijacking.
How to abuse
If you see red in lines in the tool output, this is a potential way to abuse a COM object! You can perform COM Hijacking (spoofing an existing executable), or Shadow COM Hijacking (spoofing a missing executable). Read more about COM Hijacking here
MonikerHound
There is a built-in way to bypass UAC on a Windows system, this is done through Elevation Moniker. You can read more about it here. This kind of UAC Bypass requires a non-standard way of registering the COM object in the registry, which is fairly easy to trace. So you can use my tool to find new ways of UAC Bypass.
How to abuse
Once you have discovered potential candidates for UAC Bypass, you can start checking them out. As a great template for running Elevation Moniker, you can take this function, or this program.
ClsidExplorer
ClsidExplorer allows you to retrieve information about a specific CLSID. The program outputs the following data:
AppID– ApplicationID of a specific COM Object;ProgID– ProgID of a specific COM Object;PID– PID in which this COM Object is running;Process Name– the name of the PID process;Username– name of the user on whose behalf the process is running;Methods– available methods of the COM Object. Made by parsing TypeLib.
How to abuse
This program is great for checking a COM class discovered with ComTraveller or PermissionHunter or MonikerHound for interesting methods that can be abused.
ComTraveller
ComTraveller – this tool allows you to explore all available COM objects. First, it allows you to quickly identify COM objects with interesting values (RunAs Interactive User), availability of TypeLib, and Cross-Session Activation capabilities. Thus, you can quickly detect objects that may be instantiated in another user session, leading to privilege escalation.
