(Full source code demonstrating the escape from IE's sandbox -- by launching a medium-integrity calc at login -- is attached with this description.)
Fully patched IE11 on fully patched Windows 8.1 and Win 7.
The broker for Internet Explorer (Enhanced) Protected Mode implements the function ieframe!CShdocvwBroker__CreateShortcut and this function is callable from the IE EPM sandbox via the IShdocvwBroker interface. This function is expected to create a shortcut (.url) in the favorities folder. The input arguments include: * A PIDL/itemidlist corresponding to the URL that will be the target of the .url shortcut * A directory where the shortcut will be created The vulnerabilities in the IE (E)PM broker implementation of CShdocvwBroker__CreateShortcut are: * There's no validation that the PIDL points to a website. Specifically, the PIDL can point to a local file. * The directory isn't validated to be the user's Favorites folder (or a subfolder), and can be any directory on the user's disk.
With the above information, it is straightfoward to do this: Create a .url shortcut in the user's Startup folder pointing to an EXE, BAT, CPL etc. of interest. This will lead to arbitrary execution at medium integrity on the user's next login. For demonstration purposes, my exploit PoC will plant a shortcut to calc, which will run when the user re-logs in or restarts the machine.
I've tested this exploit works on: * Fully patched IE11 on Win8.1 and Win7 with PM or EPM.
The project builds with Visual Studio 2013, but I've shared the pre-built binaries.
To run on Win7: 1. Launch a new IE window (so that there's just one sandboxed IE process -- to avoid confusing the injector) 2. On the cmd prompt, run: InjectIntoIESandbox.exe EscapeViaCreateShortcut.dll (If the tool can't find the IE Sandbox, stick the PID to inject into at the end: InjectIntoIESandbox.exe EscapeViaCreateShortcut.dll 1020) 3. This should inject EscapeViaCreateShortcut.dll into the sandboxed IE process, trigger the exploit, and launch a calc.exe at medium integrity on the user's next login.
To run on Win8.1: 0. Make sure the directory containing the DLL grants Read/Execute access to "ALL APPLICATION PACKAGES" SID via an inheritable ACE (so that the AppContainer sandbox can load the DLL). My injector tries to do this, but sometimes fails due to weird directory ACLs. So best do it manually before running. This can be done at the admin command prompt like so: cd IESandboxEscape\Release icacls . /grant "*S-1-15-2-1:(OI)(CI)(RX)" This isn't a limitation of the exploit per se, because in the real scenario, a sandbox escape triggered from the webpage could just drop this DLL into IE's AppContainer temp directory. Rest of the steps are the same as with Win7.
Notes: * If the IE sandbox is running as a 64-bit process, use the 64-bit versions of the DLL and EXE in the x64\Release folder.