关联漏洞
标题:
Microsoft XmlDocument类权限许可和访问控制问题漏洞
(CVE-2019-0555)
描述:Microsoft Windows 10等都是美国微软(Microsoft)公司发布的一系列操作系统。XmlDocument class是其中的一个用于将XML加载到文档对象模型中的类。 Microsoft XmlDocument类中存在提权漏洞。本地攻击者可利用该漏洞获取提升的权限并跳出Edge AppContainer沙盒。以下系统版本受到影响:Microsoft Windows 10版本1607,Windows 10版本1703,Windows 10版本1709,Windows 10版本1803,W
描述
Tribell Edge Sandbox Escape - PoCs of Edge's legacy vulnerabilities BadgeUpdateManager / TileFlyoutUpdateManager / ToastNotificationManager to exploit cross-boundary XmlDocument sharing and escape Edge’s LPAC sandbox (CVE-2019-0555).
介绍
# TriBell_Edge_SandBox_Escape
Tribell Edge Sandbox Escape - PoCs of Edge's legacy vulnerabilities BadgeUpdateManager / TileFlyoutUpdateManager / ToastNotificationManager to exploit cross-boundary XmlDocument sharing and escape Edge’s LPAC sandbox (CVE-2019-0555).
The PoCs trigger the execution of notepad.exe within the Just-In-Time (JIT) compilation process.
## Tested Environment
- Windows 10 Version 1809 (OS Build 17763.107)
- Microsoft Edge
- Microsoft Edge 44.17763.1.0
- Microsoft EdgeHTML 18.17763
## Vulnerabilities
- Edge Type Confusion: [CVE-2019-0567](https://project-zero.issues.chromium.org/issues/42450772)
- XmlDocument Insecure Sharing Elevation of Privilege: [CVE-2019-0555](https://project-zero.issues.chromium.org/issues/42450766)
## Technical Overview
A number of **Partial Trust Windows Runtime classes** expose the `XmlDocument` class across process boundaries to less privileged callers, which in its original form could be abused to **elevate privileges and escape the Edge Content LPAC sandbox**.
This PoC uses **BadgeUpdateManager**, **TileFlyoutUpdateManager**, and **ToastNotificationManager** to reproduce the `XmlDocument` cross-boundary exposure and achieve sandbox escape. The vulnerability has been patched by Microsoft and no longer works on fully updated systems.
While developing the exploit code, wrote and compiled the following C++ code to investigate how each class is used, and then examined GUID values and offsets in IDA.
```cpp
...
ComPtr<ITileFlyoutUpdateManagerStatics> manager;
HStringReference name(RuntimeClass_Windows_UI_Notifications_TileFlyoutUpdateManager);
Check(RoGetActivationFactory(name.Get(), IID_PPV_ARGS(&manager)));
ComPtr<IXmlDocument> doc;
Check(manager->GetTemplateContent(TileFlyoutTemplateType::TileFlyoutTemplateType_TileFlyoutTemplate01, doc.GetAddressOf()));
ComPtr<IXMLDOMDocument2> dom;
Check(doc.As(&dom));
...
```
## References
- [Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability](https://connormcgarr.github.io/type-confusion-part-1/)
- [Chakra Type Confusions - PoCs of Edge's legacy JS engine vulnerabilities that inject code into the JIT process](https://github.com/ommadawn46/chakra-type-confusions?tab=readme-ov-file)
- [TileFlyoutUpdateManager Class](https://learn.microsoft.com/ja-jp/uwp/api/windows.ui.notifications.tileflyoutupdatemanager?view=winrt-26100)
- [BadgeUpdateManager Class](https://learn.microsoft.com/ja-jp/uwp/api/windows.ui.notifications.badgeupdatemanager?view=winrt-26100)
- [ToastNotificationManager Class](https://learn.microsoft.com/ja-jp/uwp/api/windows.ui.notifications.toastnotificationmanager?view=winrt-26100)
文件快照
[4.0K] /data/pocs/802db7943001f175332d0e1c8f035873227bf1e5
├── [4.0K] BaseCppFiles
│ ├── [1.9K] BadgeUpdateManager.cpp
│ ├── [2.0K] TileFlyoutUpdateManager.cpp
│ └── [2.0K] ToastNotificationManager.cpp
├── [4.0K] js
│ ├── [ 23K] ExecuteNotepad.js
│ └── [ 957] TypeConfusion.js
├── [2.7K] README.md
└── [ 490] tribell.html
2 directories, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。