IE11: CShdocvwBroker::EditWith EPM Sandbox Escape

[GoogleCodeExporter]

IE11: CShdocvwBroker::EditWith EPM Sandbox Escape
Platform: Windows 8.1 Update 32/64 bit, IE11 
Class: Elevation of Privilege

The method CShdocvwBroker::EditWith calls ShellExecuteEx in the IE broker 
process based on input from the sandboxed process. There's a TOCTOU bug in the 
verification that the editing application is allowed through the elevation 
policy. The method uses the API AssocQueryStringByKey to extract the executable 
details from the passed registry key and checks it against the policy. It then 
calls ShellExecuteEx with the key and other parameters passed from the sandbox. 
It's therefore possible to change the registration between the 
AssocQueryStringByKey call and the ShellExecuteEx call to point to a different 
executable to escape the sandbox. 

This can be reliably exploited by identifying that ShellExecuteEx will call 
SHParseDisplayName on the lpFile parameter passed to it before looking up the 
registration details. This API will parse the path in a hierarchical manner so 
it's possible to place an oplock on a directory in the hierarchy and get 
notified when the broker is in ShellExecuteEx but before it looks up the 
registry information again. Once triggered we can rewrite the registry value 
for the executable, release the oplock and we get the sandbox escape. See the 
PoC for an implementation of this trick. 

Two other things of note. Firstly ShellExecuteEx seems to lookup the 
DelegateExecute class before the executable path, if found will use that 
instead. Therefore even if it wasn't possible to win the race it might be 
possible to find a suitable DelegateExecute class which would also allow 
escape. Also while the function is called EditWith it will take any verb not 
just 'edit' which seems counter intuitive. 

Provided is a PoC with 32 bit binaries and source. To test the PoC perform the 
following:

1) Copy injectdll.exe and testdll.dll to a directory.
2) Add ALL_APPLICATION_PACKAGES ACE to the directory to allow EPM to access the 
DLL
3) Ensure EPM is enabled in IE (and it's running 32 bit tabs).
4) Start desktop IE and navigate to an internet zone webpage. Right click the 
page and choose properties to verify page rendered with EPM
5) Find the PID of the EPM process then run 'injectdll pid testdll.dll'
6) If successful a message box should appear indicating that bootmgr has been 
opened. If you inspect the handle table of the IE EPM process a handle to 
bootmgr for read access should be present. 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by fors...@google.com on 21 Nov 2014 at 10:44

Attachments:

• poc.zip

[GoogleCodeExporter]

Original comment by fors...@google.com on 22 Nov 2014 at 8:28

• Added labels: MSRC-21084

[GoogleCodeExporter]

Bulletin: https://technet.microsoft.com/library/security/MS15-009

Original comment by cev...@google.com on 10 Feb 2015 at 7:09

• Changed state: Fixed
• Added labels: CVE-2015-0054, Fixed-2015-Feb-10

[GoogleCodeExporter]

Remove view restriction

Original comment by fors...@google.com on 18 Feb 2015 at 8:25

• Removed labels: Restrict-View-Commit