PoC Code Available for Microsoft Edge Remote Code Execution Bug

Discussion in 'other security issues & news' started by mood, Oct 12, 2018.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    8,368
    PoC Code Available for Microsoft Edge Remote Code Execution Bug
    October 11, 2018
    https://www.bleepingcomputer.com/ne...for-microsoft-edge-remote-code-execution-bug/
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,961
    Location:
    The Netherlands
    Weird bug, but I do wonder if this launched process is then also running restricted by AppContainer? Or is it a sandbox bypass?
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,890
    Location:
    U.S.A.
    Neither.

    All AppContainer does is prevent Edge from local based code injection for the most part.

    Note that Edge natively prevents any remote or non-Microsoft signed code from being injected using the same like WDEG mitigation options. The pen tester got around that by using a MS signed local based script:
    Bottom line - one more of a legit Win feature being used maliciously.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,961
    Location:
    The Netherlands
    So child processes launched by Edge don't run restricted by AppContainer?
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,929
    Location:
    U.S.A. (South)
    Block vbs scripting and power shell would seem to be a simple prevention.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,890
    Location:
    U.S.A.
    Yes, the child process runs in AppContainer. But this bypass is a remote code execution exploit. The DoublePulsar .dll loader did something similar. Think along the lines that I can jump to another section of memory not allocated to Edge, execute code there, and then return and have Edge continue on its clueless execution way.
     
    Last edited: Oct 19, 2018
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,961
    Location:
    The Netherlands
    Yes but that's the thing. The point of a sandbox is that even when you manage to exploit the browser, malware is still trapped and has limited options. Unless this is a sandbox bypass, but you say it didn't manage to bypass AppContainer.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,890
    Location:
    U.S.A.
    First, I updated my prior posting. Done one of those mornings when I was half asleep.

    I don't think you fully understand what AppContainer really does. Its primarily purpose like most sandboxes is to prevent IE11/Edge downloading garbage from the respective browser. It per se does not prevent browser code injection as you seem to believe.

    Edge uses WDEG app mitigations to prevent code injection; namely as previously posted, the Code Integrity Guard mitigation which prevents non-Microsoft signed code from being loaded into Edge. The pen tester was able to bypass this mitigation by using a legit Microsoft signed .vbs script that is an OS file used for other purposes.

    Case in point. Many AV vendors inject their .dll/s into IE11 even if it is running as AppContainer process. The same is not true for Edge since most of the .dll/s the AV vendors use are not Microsoft code signed. Chrome in its latest versions is also warning and will soon block like AV vendor .dll injection and is doing this by non-AppContainer methods.

    This bypass is again another example of legit Win OS processes being used maliciously.
     
    Last edited: Oct 19, 2018
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,961
    Location:
    The Netherlands
    No, I think you're misunderstanding my point. It's not about code injection, to me it's about remote code execution. If a browser like Edge or Chrome gets exploited, then in theory the malware that is launched will run with limited rights, because of the AppContainer or Untrusted integrity. But seems like this specific exploit will simply make Edge run wscript.exe or powershell.exe, and apparently they run unrestricted so without AppContainer integrity.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,890
    Location:
    U.S.A.
    Let's take it from the top. Here is the link to the pen tester's POC: https://leucosite.com/Microsoft-Edge-RCE/

    What the guy discovered was that by using a specially crafted html request:
    he could launch an external application from Edge. In this case, calc.exe.exe. In other words, calc.exe was running as a child process of Edge outside of AppContainer.

    1. The above was accomplished when Edge seeing this code "href='wshfile:test" didn't know what to do with it since it was an unknown file type. So Edge passed control to the OS which in turn generated the standard prompt to select what app to run the file with.

    It appears "wshfile:test" operates as a shell command similar to how rundll32.exe can be run for example.

    2. The selection process was enhanced by:
    3. Edge sees that wscript.exe is attempting to run a Microsoft code signed script, SyncAppvPublishingServer.vbs, and says "Oh, that's OK." However, what actually is run as a child process is calc.exe, or the malware .exe in reality.

    Game over.

    -EDIT- What might be confusing some with this POC is that Edge will not allow remote VBS code to run from a web server. However, no such restriction exists if the code is local based and it is validly signed.

    Here's the Microsoft URI reference: https://docs.microsoft.com/en-us/windows/uwp/launch-resume/reserved-uri-scheme-names
     
    Last edited: Oct 20, 2018
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,890
    Location:
    U.S.A.
    BTW - this vulnerability was patched in the Win 10 Oct. cumulative update.

    I verified same by running his POC code:
    from Edge which yielded the following:

    Exploit_Test_1.png
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,125
    Location:
    Saudi Arabia/ Pakistan
    Bug is really patched. But I was able to test it on an unpatched system.

    I tried a harmless file as a hypothetical malware. Comodo HIPS gave enough warnings.

    Then tried Comoro auto-sandbox and it kicked in sandboxing powershell and later unknown malware.exe.
     

    Attached Files:

    Last edited: Oct 24, 2018
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,961
    Location:
    The Netherlands
    Exactly, and you would think that all child processes from Edge were run with AppContainer integrity, but this isn't the case. BTW, you already know this but this is an interesting article about AppContainer explaining why it's a powerful protection method.

    https://docs.microsoft.com/en-us/windows/desktop/SecAuthZ/appcontainer-isolation

    Good to see that Comodo easily blocked this, and also good to see you again Aigle. I remember in the past you were one of the more active members.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,890
    Location:
    U.S.A.
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,125
    Location:
    Saudi Arabia/ Pakistan
    Thanks. These were good old days! No more time for this hobby now. Life got more busy. :)
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,125
    Location:
    Saudi Arabia/ Pakistan
    Good thing in Comodo sandbox is that it automatically isolates command line processes and power shell commands. It is a great defense against fileless malware too.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,961
    Location:
    The Netherlands
    Seems like the sandbox isn't as robust as Chrome's, but in general I do believe that AppContainer is pretty secure.

    Yes we did spend hours and hours discussing HIPS, luckily I still got the time and I'm still fascinated by this stuff.

    Yes, that's cool especially since Sandboxie can't sandbox Edge.
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,125
    Location:
    Saudi Arabia/ Pakistan
    Comodo sandbox can't do this as well and as a matter of fact no sandbox is able to do this. Edge is a contained app already. However comodo will sandbox any unknown executable launched through edge including cmd.exe, power shell ( and may be scrips as well though I am not sure about scripts).

    I sandboxie we can achieve this to some extent by auto-sandboxing cmd.exe and powershell.exe and wscript.exe.

    Another great protection for edge browser is malwarebytes antiexploit.
     
  19. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    8,368
    New Microsoft Edge Browser Zero-Day RCE Exploit in the Works
    November 4, 2018
    https://www.bleepingcomputer.com/ne...ge-browser-zero-day-rce-exploit-in-the-works/
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,890
    Location:
    U.S.A.
    Hillarious!
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,961
    Location:
    The Netherlands
    This is indeed a bit embarrassing, but I would like to know if this is just one exploit being used to get both remote code execution and a sandbox bypass. Because often you also need to use a second Windows OS exploit to get privilege elevation. Of course such an exploit would be easily blocked by anti-executable.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,890
    Location:
    U.S.A.
    According to the article, they haven't been able to do an Edge sandbox(AppContainer) bypass yet. But it appears they feel confident this can be done.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.