A new paper from researchers at Verizon Business identifies a method through which an attacker can bypass Internet Explorer Protected Mode and gain elevated privileges once he’s successfully exploited a bug on the system. Protected Mode in Internet Explorer is one of a handful of key security mechanisms that Microsoft has added to Windows in the last few years. It is often described as a sandbox, in that it is designed to prevent exploitation of a vulnerability in the browser from leading to more persistent compromise of the underlying system. Protected Mode was introduced in Windows Vista and Internet Explorer 7, and other software vendors have followed Microsoft’s lead, introducing sandboxes in applications such as Adobe Reader X and Google Chrome.
The key method through which IE Protected Mode mitigates exploitation of browser bugs is by running many processes in low-integrity mode with very low privileges on the machine. The idea is that even if an attacker is able to exploit a vulnerability and get onto a machine, his code will not be able to do anything of consequence on the PC. However, not all sites and processes are treated equally in Protected Mode.
“Through the hooking of the low integrity Internet Explorer process, the Protected Mode API exposed by the Internet Explorer broker process and other application compatibility techniques, a large number of in-process Internet Explorer extension work in low integrity without modification. However, other more complicated add-ins and applications require modification. As a result of this incompatibility and Microsoft’s dedication to backwards compatibility, not all Internet Explorer zones render their member sites in Protected Mode. Each Internet Explorer zone defines a set of security policies for pages rendered in that zone and enabling Protected Mode is one of the available settings,” researchers at Verizon Business wrote in their paper, “Escaping From Microsoft’s Protected Mode Internet Explorer.”
In their research, the Verizon Business team found a method that, when combined with an existing memory-corruption vulnerability in the browser, enables an attacker to bypass Protected Mode and elevate his privileges on the compromised machine. The technique enables the attacker to move from a relatively un-privileged level to one with higher privileges, giving him complete access to the logged-in user’s account.
“The attack assumes the existence of exploitable memory corruption vulnerability within Internet Explorer or an extension, which is the precise scenario that Protected Mode is supposed to mitigate. Once the initial remote exploit has been used to execute arbitrary code at low integrity on the client, the payload can create a web server listening on any port on the loopback interface, even as a limited user at low integrity. The web server should be able to serve-up the original exploit that allowed remote exploitation in the first instance. Since the exploit will now be launched from the same machine, exploitation can be made significantly more reliable as Address Space Layout Randomisation (ASLR) is no longer effective and other exploitation techniques can be used with higher probabilities of success,” the paper says. “The browser can be instructed to navigate to this new malicious web server using the IELaunchUrl() function, which is callable from low integrity as part of the Protected Mode API. This will cause a new tab to be launched which will navigate to “http://localhost/exploit.html” or similar. The new malicious web page will be rendered in the Local Intranet Zone and the rendering process will now be executing at medium integrity. By exploiting the same vulnerability a second time, arbitrary code execution can now be achieved as the same user at medium integrity. This provides full access to the user’s account and allows malware to be persisted on the client, something which was not possible from low integrity whilst in Protected Mode.”
Other vendors have adopted the sandboxing technique recently, specifically Adobe, which added a sandbox to Reader X. Google also put a sandbox in Chrome several years ago and this week announced that it is adding a sandboxed version of Adobe Flash to future versions of Chrome.