search

Temptationx / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

IE11 ImmutableApplicationSettings EPM Privilege Escalation #95

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Products affected: IE 11.0.9600.17239 Desktop in EPM. 

IE11 exposes a shared memory section to all tab process which contains 
configuration settings, named Immutable Application Settings. This contains 
settings such as whether protected mode is currently enabled. 

The vulnerability is due to a permissive DACL on the section object. While it's 
shared read-only to all EPM tabs the DACL permits the IE EPM SID to reopen the 
section read/write. With this it's possible to unset the protected mode flag 
for new tabs then navigate to another page which exploits an RCE vulnerability. 
The simplest way to achieve this is to just call ExitProcess, in the exploit. 
The tab recovery mechanism will restart the exploiting page automatically but 
now without EPM enabled. An attacker could then reuse their original RCE to 
break out of the sandbox. It is probably also possible to directly escape from 
a compromised sandbox process however I've not attempted to do that. 

This might not work to break out of Metro mode IE as that shouldn't be able to 
disable EPM, however there might be other configuration settings accessible 
which would weaken the security of the browser such as COM proxy wrappers. 

Provided is a PoC with 32 bit binaries and source. To test the PoC perform the 
following:

1) Copy injectdll.exe and testdll.dll to a directory.
2) Add ALL_APPLICATION_PACKAGES ACE to the directory to allow EPM to access the 
DLL
3) Ensure EPM is enabled in IE (and it's running 32 bit mode). It doesn't work 
in normal PM (the DACL is correct in PM's case).
4) Start desktop IE and navigate to an internet zone webpage. Right click the 
page and choose properties to verify page rendered with EPM
5) Find the PID of the EPM process then run 'injectdll pid exploit.dll'
6) Tab recovery should reload the web page, if you now right click properties 
it should indicate that there's no longer any protected mode enabled.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by fors...@google.com on 21 Aug 2014 at 12:06

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by fors...@google.com on 29 Aug 2014 at 2:21

GoogleCodeExporter commented 9 years ago

Original comment by fors...@google.com on 12 Nov 2014 at 11:02

GoogleCodeExporter commented 9 years ago

Original comment by fors...@google.com on 12 Nov 2014 at 11:04

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 20 Nov 2014 at 12:51

GoogleCodeExporter commented 9 years ago 
MS bulletin: https://technet.microsoft.com/library/security/MS14-065

Original comment by cev...@google.com on 20 Nov 2014 at 1:04