search

staticanalysis / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

IE11 EPM Parent Process DACL Sandbox Escape #97

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Products affected: IE 11.0.9600.17239 in EPM. 

When running in EPM the main IE process running at medium has a weak DACL which 
allows sandboxed IE tabs to open the process with PROCESS_VM_READ access. This 
could allow an attacker to read out process secret information and potentially 
break out of the sandbox. 

The most immediate PoC I could come up with is abusing the 
CShDocVwBroker::GetFileHandle function. This is used to get a file read handle 
to a process but relies on having a SHA256_HMAC hash of the file path where the 
secret value is generated on a per-process basis. With the read access we can 
extract the per-process secret value and forge a valid token to access any file 
on the file system which the EPM process would not normally be able to do. 

However I know it's possible to use this access to attack other things to 
achieve a full sandbox escape. 

Provided is a PoC with 64 bit binaries and source. To test the PoC perform the 
following:

1) Copy injectdll.exe and testdll.dll to a directory.
2) Add ALL_APPLICATION_PACKAGES ACE to the directory to allow EPM to access the 
DLL
3) Ensure EPM is enabled in IE (and it's running 64 bit tabs).
4) Start desktop IE and navigate to an internet zone webpage. Right click the 
page and choose properties to verify page rendered with EPM
5) Find the PID of the EPM process then run 'injectdll pid testdll.dll'
6) If successful a message box should appear indicating that bootmgr has been 
opened. If you inspect the handle table of the IE EPM process a handle to 
bootmgr for read access should be present. 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by fors...@google.com on 21 Aug 2014 at 10:35

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by fors...@google.com on 29 Aug 2014 at 2:22

GoogleCodeExporter commented 9 years ago

Original comment by fors...@google.com on 12 Nov 2014 at 11:03

GoogleCodeExporter commented 9 years ago

Original comment by fors...@google.com on 12 Nov 2014 at 11:04

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 20 Nov 2014 at 12:52

GoogleCodeExporter commented 9 years ago 
MS bulletin: https://technet.microsoft.com/library/security/MS14-065

Original comment by cev...@google.com on 20 Nov 2014 at 1:05

GoogleCodeExporter commented 9 years ago 
Added new PoC

Original comment by fors...@google.com on 1 Dec 2014 at 7:49

Attachments: