James Forshaw :donor: on Nostr: The second blog is about an interesting bug class in COM servers that implement ...
The second blog is about an interesting bug class in COM servers that implement IDispatch, which allows you to potentially create other objects in the process. For example every OOP COM server with IDispatch allows you to create a STDFONT object which isn’t really designed to be safely used cross process. To demo its usefulness I then use the trick to get code injection in a Windows-PPL process from where you could open protected LSASS etc.
https://googleprojectzero.blogspot.com/2025/01/windows-bug-class-accessing-trapped-com.htmlPublished at
2025-01-30 18:35:20Event JSON
{
"id": "c32cffe9abdefea67f57335be9e25d40cbd822e90ffa3fc7343e403f9efd4132",
"pubkey": "706a8260a6dda46fbd813076c7df7072a9c25d8e9927974e9b1c8f0d6987b735",
"created_at": 1738262120,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/@tiraniddo/113918746339656953",
"web"
],
[
"proxy",
"https://infosec.exchange/users/tiraniddo/statuses/113918746339656953",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/tiraniddo/statuses/113918746339656953",
"pink.momostr"
],
[
"-"
]
],
"content": "The second blog is about an interesting bug class in COM servers that implement IDispatch, which allows you to potentially create other objects in the process. For example every OOP COM server with IDispatch allows you to create a STDFONT object which isn’t really designed to be safely used cross process. To demo its usefulness I then use the trick to get code injection in a Windows-PPL process from where you could open protected LSASS etc. https://googleprojectzero.blogspot.com/2025/01/windows-bug-class-accessing-trapped-com.html",
"sig": "5a51d9362dab895502212d1931cbd69bc78aee14069a8c73e11f3046de689e447b2d5f0212e877c1fee586c92604695c15c857f9c67ecc0602772f6f7e153297"
}
