PoC Code Available for Microsoft Edge Remote Code Execution Bug

PoC Code Available for Microsoft Edge Remote Code Execution Bug
October 11, 2018
https://www.bleepingcomputer.com/ne...for-microsoft-edge-remote-code-execution-bug/

 

Weird bug, but I do wonder if this launched process is then also running restricted by AppContainer? Or is it a sandbox bypass?

 

Neither.

All AppContainer does is prevent Edge from local based code injection for the most part.

Note that Edge natively prevents any remote or non-Microsoft signed code from being injected using the same like WDEG mitigation options. The pen tester got around that by using a MS signed local based script:

Bottom line - one more of a legit Win feature being used maliciously.

 

So child processes launched by Edge don't run restricted by AppContainer?

 

Block vbs scripting and power shell would seem to be a simple prevention.

 

Yes, the child process runs in AppContainer. But this bypass is a remote code execution exploit. The DoublePulsar .dll loader did something similar. Think along the lines that I can jump to another section of memory not allocated to Edge, execute code there, and then return and have Edge continue on its clueless execution way.

 

Yes but that's the thing. The point of a sandbox is that even when you manage to exploit the browser, malware is still trapped and has limited options. Unless this is a sandbox bypass, but you say it didn't manage to bypass AppContainer.

 

First, I updated my prior posting. Done one of those mornings when I was half asleep.

I don't think you fully understand what AppContainer really does. Its primarily purpose like most sandboxes is to prevent IE11/Edge downloading garbage from the respective browser. It per se does not prevent browser code injection as you seem to believe.

Edge uses WDEG app mitigations to prevent code injection; namely as previously posted, the Code Integrity Guard mitigation which prevents non-Microsoft signed code from being loaded into Edge. The pen tester was able to bypass this mitigation by using a legit Microsoft signed .vbs script that is an OS file used for other purposes.

Case in point. Many AV vendors inject their .dll/s into IE11 even if it is running as AppContainer process. The same is not true for Edge since most of the .dll/s the AV vendors use are not Microsoft code signed. Chrome in its latest versions is also warning and will soon block like AV vendor .dll injection and is doing this by non-AppContainer methods.

This bypass is again another example of legit Win OS processes being used maliciously.

 

No, I think you're misunderstanding my point. It's not about code injection, to me it's about remote code execution. If a browser like Edge or Chrome gets exploited, then in theory the malware that is launched will run with limited rights, because of the AppContainer or Untrusted integrity. But seems like this specific exploit will simply make Edge run wscript.exe or powershell.exe, and apparently they run unrestricted so without AppContainer integrity.

 

Let's take it from the top. Here is the link to the pen tester's POC: https://leucosite.com/Microsoft-Edge-RCE/

What the guy discovered was that by using a specially crafted html request:

he could launch an external application from Edge. In this case, calc.exe.exe. In other words, calc.exe was running as a child process of Edge outside of AppContainer.

1. The above was accomplished when Edge seeing this code "href='wshfile:test" didn't know what to do with it since it was an unknown file type. So Edge passed control to the OS which in turn generated the standard prompt to select what app to run the file with.

It appears "wshfile:test" operates as a shell command similar to how rundll32.exe can be run for example.

2. The selection process was enhanced by:

3. Edge sees that wscript.exe is attempting to run a Microsoft code signed script, SyncAppvPublishingServer.vbs, and says "Oh, that's OK." However, what actually is run as a child process is calc.exe, or the malware .exe in reality.

Game over.

-EDIT- What might be confusing some with this POC is that Edge will not allow remote VBS code to run from a web server. However, no such restriction exists if the code is local based and it is validly signed.

Here's the Microsoft URI reference: https://docs.microsoft.com/en-us/windows/uwp/launch-resume/reserved-uri-scheme-names

 

BTW - this vulnerability was patched in the Win 10 Oct. cumulative update.

I verified same by running his POC code:

from Edge which yielded the following:

 

Bug is really patched. But I was able to test it on an unpatched system.

I tried a harmless file as a hypothetical malware. Comodo HIPS gave enough warnings.

Then tried Comoro auto-sandbox and it kicked in sandboxing powershell and later unknown malware.exe.

 

Exactly, and you would think that all child processes from Edge were run with AppContainer integrity, but this isn't the case. BTW, you already know this but this is an interesting article about AppContainer explaining why it's a powerful protection method.

https://docs.microsoft.com/en-us/windows/desktop/SecAuthZ/appcontainer-isolation

Good to see that Comodo easily blocked this, and also good to see you again Aigle. I remember in the past you were one of the more active members.

 

I wouldn't say so as long as researches keep finding injection vulnerabilities in Edge:

https://www.techrepublic.com/articl...were-just-bypassed-opening-door-for-exploits/

https://www.zdnet.com/article/windo...w-malicious-sites-can-exploit-microsoft-edge/

 

Thanks. These were good old days! No more time for this hobby now. Life got more busy.

 

Good thing in Comodo sandbox is that it automatically isolates command line processes and power shell commands. It is a great defense against fileless malware too.

 

Seems like the sandbox isn't as robust as Chrome's, but in general I do believe that AppContainer is pretty secure.

Yes we did spend hours and hours discussing HIPS, luckily I still got the time and I'm still fascinated by this stuff.

Yes, that's cool especially since Sandboxie can't sandbox Edge.

 

Comodo sandbox can't do this as well and as a matter of fact no sandbox is able to do this. Edge is a contained app already. However comodo will sandbox any unknown executable launched through edge including cmd.exe, power shell ( and may be scrips as well though I am not sure about scripts).

I sandboxie we can achieve this to some extent by auto-sandboxing cmd.exe and powershell.exe and wscript.exe.

Another great protection for edge browser is malwarebytes antiexploit.

 

New Microsoft Edge Browser Zero-Day RCE Exploit in the Works
November 4, 2018
https://www.bleepingcomputer.com/ne...ge-browser-zero-day-rce-exploit-in-the-works/

 

Hillarious!

 

This is indeed a bit embarrassing, but I would like to know if this is just one exploit being used to get both remote code execution and a sandbox bypass. Because often you also need to use a second Windows OS exploit to get privilege elevation. Of course such an exploit would be easily blocked by anti-executable.

 

According to the article, they haven't been able to do an Edge sandbox(AppContainer) bypass yet. But it appears they feel confident this can be done.

 

Then I must read the article again, I thought they mentioned a sandbox bypass.

 

BTW I tried it with MBAE and no peep from it so it seems that anti-exploits are also useless against zero day exploits just as AVs are useless against zero day malware.

 

Anyone knowsif any new POC is available?