IE11 EPM Parent Process DACL Sandbox Escape

[Nytro]

IE11 EPM Parent Process DACL Sandbox Escape

Products affected: IE 11.0.9600.17239 in EPM.

When running in EPM the main IE process running at medium has a weak DACL which allows sandboxed IE tabs to open the process with PROCESS_VM_READ access. This could allow an attacker to read out process secret information and potentially break out of the sandbox.

The most immediate PoC I could come up with is abusing the CShDocVwBroker::GetFileHandle function. This is used to get a file read handle to a process but relies on having a SHA256_HMAC hash of the file path where the secret value is generated on a per-process basis. With the read access we can extract the per-process secret value and forge a valid token to access any file on the file system which the EPM process would not normally be able to do.

However I know it's possible to use this access to attack other things to achieve a full sandbox escape.

Provided is a PoC with 64 bit binaries and source. To test the PoC perform the following:

1) Copy injectdll.exe and testdll.dll to a directory.

2) Add ALL_APPLICATION_PACKAGES ACE to the directory to allow EPM to access the DLL

3) Ensure EPM is enabled in IE (and it's running 64 bit tabs).

4) Start desktop IE and navigate to an internet zone webpage. Right click the page and choose properties to verify page rendered with EPM

5) Find the PID of the EPM process then run 'injectdll pid testdll.dll'

6) If successful a message box should appear indicating that bootmgr has been opened. If you inspect the handle table of the IE EPM process a handle to bootmgr for read access should be present.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse

without a broadly available patch, then the bug report will automatically

become visible to the public.

[TABLE]

[TR]

[TD] [/TD]

[TD] poc.7z

69.0 KB Download[/TD]

[/TR]

[/TABLE]

Sursa: https://code.google.com/p/google-security-research/issues/detail?id=97&can=1