Analysis of IE sandbox Privilege Elevation Vulnerability (CVE-2015-0016)

Analysis of IE sandbox Privilege Elevation Vulnerability (CVE-2015-0016)

Microsoft's Tuesday patch, as scheduled this month, includes a MS15-004 patch that fixes a vulnerability that could lead to Elevation of Privilege (CVE-2015-0016), a very rare vulnerability in the IE sandbox, the researcher at Trend Micro analyzed the vulnerability in detail.

Patch details

In tswbprxy.exe.exe, tswbprxy.exe is an ActiveX control and a program of Microsoft Remote Desktop service network proxy.
First, I use the IDA plug-inPatchdiff2View the modifications made by the patch, and modify the FunctionCTSWebProxy: StartRemoteDestop.

I loaded it with OleView.TSWbPrxy.exe, ViewCTSWebProxy: StartRemoteDestop.
 

Definition of StartRemoteDesktop

I foundStartRemoteDesktopThere are two parametersMstsc.exeRelated, thisMstsc.exeIs the remote desktop program.

BstrMstsc: the file path bstrArguments: mstsc.exe parameter of mstsc.exe

 

The startremoteworker topic creates an entry to start mstsc.exe. I used the IDA plug-in to check the differences between patched versions and unpatched ones more carefully:
 

What is the difference between a patched version and an unpatched version?

The picture on the left shows the patch version, but not on the right. The picture on the left is displayed in the callCreateProcessWPreviously, the check_path function (gray part) was called first, but this function was not called in Unpatched versions.
Let's take a closer look at this function:
 

 

Check_path code

The function has a parameter (LpApplicationName), The Function execution process is as follows:

 

First, check the length of lpApplicationName. If it is greater than 0x104, an error 0x80075007 is returned. Format the lpApplicationName, convert the character '/' to '\', and save the result to var_formatApplicationName. Call CompareStringW to compare SystemDirectory + cmdmstsc.exe with var_formatApplicationName. If the two are the same, check_path returns "0 ". Call CompareStringW to compare SystemWow64Directory + cmdmstsc.exe with var_formatApplicationName. If the two are the same, check_path returns "0"; otherwise, the error 0x80075007 is returned.

 

Let's take a look at how Microsoft fixes vulnerabilities. The program checks whether the value of lpApplicationName is in the system folder with the Remote Desktop Program (for 32-bit systemsC: \ Windows \ System32For 64-bitC: \ Windows \ SysWOW64. If the two are the same, a process is created; otherwise, an error is returned.

The vulnerability principle is simple:StartRemoteDesktopThe function should be used to start the remote desktop program.Mstsc.exeBut this program is not checkedLpApplicationNameParameter, which means that attackers can modifyLpApplicationNameParameter to start any other process.

The following is the unpatched version code.
 

Unpatched version code

Attackers can bypass the IE sandbox.

To bypass the IE sandbox, we first need to know what the sandbox's escalation policy is. The escalation policy determines how the process is started and how privileged it is to be started. These are stored in the registry key:
 

HKLM\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{GUID}

The Registry Key has the following values:
 

AppName: Program Execution name AppPath: Program Path Policy: privileged level of the program

 

Different levels of privilege

For a process with a 3 privilege level, the IE sandbox runs the process with a medium integrity level (the permissions of the current user.
The tswbpryx.exe privilege level is exactly 3.

 

TSWbPryx.exe registry key

Attackers can exploit another vulnerability to run arbitrary code through IE. As mentioned earlier, due to the sandbox mechanism of IE, the Code may be restricted to running at a lower level of integrity (with limited permissions, attackers can exploit this vulnerability to execute arbitrary code at a moderate integrity level (current user permissions. Attackers can use the TSWbPrxy activexcontrol to call startremoteshorttopic, And the attacker can use a higher permission to run a program. For example, the attacker's parent path is tswbprxy.exe.

We can use this vulnerability with the CVE-2014-6332 so we can bypass the IE sandbox and run the program at a moderate integrity level.

In addition, we can also use CVE-2014-6332 to bypass ActiveX security mechanisms. That is to say, IE does not display a window like this, but directly runs these controls.
 

 

The final result is that attackers can run certain programs at a moderate integrity level, as shown in