Nytro Posted December 1, 2014 Report Posted December 1, 2014 IE11 ImmutableApplicationSettings EPM Privilege Escalation Products affected: IE 11.0.9600.17239 Desktop in EPM. IE11 exposes a shared memory section to all tab process which contains configuration settings, named Immutable Application Settings. This contains settings such as whether protected mode is currently enabled. The vulnerability is due to a permissive DACL on the section object. While it's shared read-only to all EPM tabs the DACL permits the IE EPM SID to reopen the section read/write. With this it's possible to unset the protected mode flag for new tabs then navigate to another page which exploits an RCE vulnerability. The simplest way to achieve this is to just call ExitProcess, in the exploit. The tab recovery mechanism will restart the exploiting page automatically but now without EPM enabled. An attacker could then reuse their original RCE to break out of the sandbox. It is probably also possible to directly escape from a compromised sandbox process however I've not attempted to do that. This might not work to break out of Metro mode IE as that shouldn't be able to disable EPM, however there might be other configuration settings accessible which would weaken the security of the browser such as COM proxy wrappers. Provided is a PoC with 32 bit binaries and source. To test the PoC perform the following:1) Copy injectdll.exe and testdll.dll to a directory.2) Add ALL_APPLICATION_PACKAGES ACE to the directory to allow EPM to access the DLL3) Ensure EPM is enabled in IE (and it's running 32 bit mode). It doesn't work in normal PM (the DACL is correct in PM's case).4) Start desktop IE and navigate to an internet zone webpage. Right click the page and choose properties to verify page rendered with EPM5) Find the PID of the EPM process then run 'injectdll pid exploit.dll'6) Tab recovery should reload the web page, if you now right click properties it should indicate that there's no longer any protected mode enabled.This bug is subject to a 90 day disclosure deadline. If 90 days elapsewithout a broadly available patch, then the bug report will automaticallybecome visible to the public. [TABLE][TR][TD] [/TD] [TD] poc.7z 84.3 KB Download[/TD][/TR][/TABLE]Sursa: https://code.google.com/p/google-security-research/issues/detail?id=95&can=1 Quote
