bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/46161.txt
Offensive Security 518c704a2f DB: 2019-01-15 
32 changes to exploits/shellcodes

xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)
Dokany 1.2.0.1000 - Stack-Based Buffer Overflow Privilege Escalation
Microsoft Windows 10 - SSPI Network Authentication Session 0 Privilege Escalation
Microsoft Windows 10 - DSSVC DSOpenSharedFile Arbitrary File Open Privilege Escalation
Microsoft Windows 10 - DSSVC DSOpenSharedFile Arbitrary File Delete Privilege Escalation
Microsoft Windows 10 - DSSVC CanonicalAndValidateFilePath Security Feature Bypass
Microsoft Windows 10 - DSSVC MoveFileInheritSecurity Privilege Escalation
Microsoft Windows 10 - Browser Broker Cross Session Privilege Escalation
Microsoft Windows 10 - COM Desktop Broker Privilege Escalation

Hootoo HT-05 - Remote Code Execution (Metasploit)
Across DR-810 ROM-0 - Backup File Disclosure
i-doit CMDB 1.12 - Arbitrary File Download
i-doit CMDB 1.12 - SQL Injection
Horde Imp - 'imap_open' Remote Command Execution
Modern POS 1.3 - Arbitrary File Download
Modern POS 1.3 - SQL Injection
Twilio WEB To Fax Machine System Application 1.0 - SQL Injection
Live Call Support Widget 1.5 - Cross-Site Request Forgery (Add Admin)
Live Call Support Widget 1.5 - Remote Code Execution / SQL Injection
Craigs Classified Ads CMS Theme 1.0.2 - SQL Injection
Find a Place CMS Directory 1.5 - SQL Injection
Cleanto 5.0 - SQL Injection
Lenovo R2105 - Cross-Site Request Forgery (Command Execution)
HealthNode Hospital Management System 1.0 - SQL Injection
Hucart CMS 5.7.4 - Cross-Site Request Forgery (Add Administrator Account)
ThinkPHP 5.X - Remote Command Execution
Real Estate Custom Script 2.0 - SQL Injection
Job Portal Platform 1.0 - SQL Injection
Umbraco CMS 7.12.4 - Authenticated Remote Code Execution
Bigcart - Ecommerce Multivendor System 1.0 - SQL Injection
Portier Vision 4.4.4.2 / 4.4.4.6 - SQL Injection
AudioCode 400HD - Command Injection
2019-01-15 05:01:52 +00:00

50 lines
No EOL
3.3 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Windows: Browser Broker Cross Session EoP
Platform: Windows 10 1803 (not tested anything else).
Class: Elevation of Privilege
Security Boundary (per Windows Security Service Criteria): Session Boundary
Summary:
The Browser Broker COM object doesnt verify its caller correctly allowing one user to execute arbitrary code in another logged on users session.
Description:
The Browser Broker Class (CLSID: 0002df02-0000-0000-c000-000000000046) is closely tied with Microsoft Edge and is used to perform certain privileged operations that the main browser process running in an App Container cannot do. The majority of the calls are checked with functions such as BrokerAuthenticateAttachedCallerGetPIC which ensures the caller is an Edge process (based on its package ID) and meets certain requirements based on the sandbox type etc. One thing this code doesnt do is check that the caller is the same user as the running broker process.
As the user is not checked this means its only the COM security which prevents you instantiating this in another running session on the same machine. The COM users allowed to launch the broker are:
* Everyone
* microsoft.microsoftedge_8wekyb3d8bbwe (package SID)
This means that everyone is allowed to start the broker COM process even in another session. However perhaps the access permissions will save us:
* NT AUTHORITY\Authenticated Users
* BUILTIN\Guests
* microsoft.microsoftedge_8wekyb3d8bbwe (package SID)
* NAMED CAPABILITIES\Lpac Web Platform
Even Guests can access the COM object after creating it (Ive no idea why of all things). Basically though these sets of permissions ensure that one user can create and call methods on the broker in another session. The only requirement is you need to impersonate the Microsoft Edge token when calling methods, but thats easy to get just by stealing the token from a running Edge process.
Once youve got access to the broker COM server its pretty easy to exploit to get arbitrary code execution. You can modify files through the IFileOperationBroker or just call ShellExecute using IDownloadExecutionBroker.
Ultimately I warned you after cases 36544 and 37954 that you should be fixing the root cause of normal users being able to use the Session Moniker not playing whack-a-mole with COM objects. Of course you didnt listen then and no doubt youll just try and fix browser broker and be done with it.
This issue also demonstrates that the Browser Broker is an easy sandbox escape if you can get into the MicrosoftEdge process, which doesnt seem a good thing IMO. While LPAC certainly makes it harder to elevate to the main browser process Id not be confident of it being a complete security boundary.
Proof of Concept:
Ive provided a PoC as a C++ project. It will steal the access token from a running copy of Edge then restart itself in another logged on session.
1) Compile the C++ project.
2) Ensure theres two users logged on to the same system.
3) Start Edge in the session youll run the PoC from.
4) Run the PoC.
Expected Result:
Create a broker and accessing it in another session should fail.
Observed Result:
The PoC is running in another users session.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46161.zip
Reference in a new issue View git blame Copy permalink