If you are unfamiliar with COM, it is a system for building binary software components that can work together. Microsoft’s system works independent from the platform, but it provides the underpinning for Microsoft’s OLE technology. OLE gives documents and other objects in Windows embedding and linking capabilities. COM also underpins Microsoft’s ActiveX framework, which allows content to be downloaded from a network. A flaw in Component Object Model would be problematic and give attackers access to Windows. To do so, hackers would inject code through Phantom COM objects. Windows will accept these objects as legitimate because they would be hidden behind trusted IDs, such as a known application. This would allow hackers to move past security protocols and inject malicious content into COM. If this file was to be executed on Windows, the system would be corrupted. To prove the method is real and the flaw genuine, Cyberbit developed a proof-of-concept. Interestingly, the test is actually quite easy to implement: “We mapped the registry keys which failed to find and load a file and attempted to use these keys to load our own dummy DLL,” the researchers explained. “As we expected, we were able to do this with numerous keys and successfully loaded and ran our DLL within the context of legitimate applications such as explorer.exe svchost and powershell.”
In the Wild
Cyberbit is the first to show how this technique works. Although, the company says it has spotted the exploit in the wild. However, the researchers say they expected more instances considering how easy the method is to implement: “We discovered that hundreds of registry keys are vulnerable to COM hijacking and Phantom COM Objects loading. This process is very easy for attackers to implement and does not require sophisticated or code injection which is more visible to detection platforms. It is more dangerous because it run using legitimate user privileges, often does not require reboot and may not have any visible side effects on the user.”