IE11: CShdocvwBroker::EditWith EPM Sandbox Escape
Platform: Windows 8.1 Update 32/64 bit, IE11
Class: Elevation of Privilege
The method CShdocvwBroker::EditWith calls ShellExecuteEx in the IE broker process based on input from the sandboxed process. There's a TOCTOU bug in the verification that the editing application is allowed through the elevation policy. The method uses the API AssocQueryStringByKey to extract the executable details from the passed registry key and checks it against the policy. It then calls ShellExecuteEx with the key and other parameters passed from the sandbox. It's therefore possible to change the registration between the AssocQueryStringByKey call and the ShellExecuteEx call to point to a different executable to escape the sandbox.
This can be reliably exploited by identifying that ShellExecuteEx will call SHParseDisplayName on the lpFile parameter passed to it before looking up the registration details. This API will parse the path in a hierarchical manner so it's possible to place an oplock on a directory in the hierarchy and get notified when the broker is in ShellExecuteEx but before it looks up the registry information again. Once triggered we can rewrite the registry value for the executable, release the oplock and we get the sandbox escape. See the PoC for an implementation of this trick.
Two other things of note. Firstly ShellExecuteEx seems to lookup the DelegateExecute class before the executable path, if found will use that instead. Therefore even if it wasn't possible to win the race it might be possible to find a suitable DelegateExecute class which would also allow escape. Also while the function is called EditWith it will take any verb not just 'edit' which seems counter intuitive.
Provided is a PoC with 32 bit binaries and source. To test the PoC perform the following:
1) Copy injectdll.exe and testdll.dll to a directory.
2) Add ALL_APPLICATION_PACKAGES ACE to the directory to allow EPM to access the DLL
3) Ensure EPM is enabled in IE (and it's running 32 bit tabs).
4) Start desktop IE and navigate to an internet zone webpage. Right click the page and choose properties to verify page rendered with EPM
5) Find the PID of the EPM process then run 'injectdll pid testdll.dll'
6) If successful a message box should appear indicating that bootmgr has been opened. If you inspect the handle table of the IE EPM process a handle to bootmgr for read access should be present.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
