A SandboxEscape Challenge: BleedingEdge
Introduction
This is a challenge I made for XNUCA'2019 CTF Qualifier.
The challenge itself is not as hard as many pwnables,
you don't even need trigger any memory corruption
(I'm not sure if there has one) to solve it, but it'll require some basic knowledge about MicrosoftEdge and Windows Privilege Mechanisms.
I've never seen anyone takes MicrosoftEdge's Sandbox into a CTF challenge before, so I think it's interesting to post it here.
Why Sandbox In CTF?
JSEngine bug in browser can do few things unless cooperating with a SandboxEscape bug.From a realworld view, A SandboxEscape bug is very valuable.
Which also indicates the difficulty of finding one.
Sandbox Shown in CTF
In GoogleCTF 2019,
Challenge amount distribution:
4 PWN
3 REVERSING
4 WEB
5 SANDBOX
What's the difficulty about Sandbox?
Highly relying on Operating System Privilege Mechanisms.
Linux: Seccomp, namespace ...
Windows: AppContainer, Integrity level, SACL/DACL...
What's in this challenge?
Server.exe:
- Get MicrosoftEdge's ManageAppContainer's privilege token.
- Create an AppContainer with default privilege
- Drop a File with arbitrary content under Sandbox{random file name}
- Impersonate MicrosoftEdge's token and launch any program specified.
What can appcontainer do?
MicrosoftEdge's AppContainer Structure:
The Structure given by Microsoft:
Actually, the structure is described as below:
What about Edge's Container?
(Taken from "Cutting Edge Slides at BlackHat from Tencent XuanwuLab")
EdgeContainer CreateProcedure:
Are there any guards in Edge?
- ACG(Arbitrary Code Guard)
- CIG(Code Integrity Guard)
- Child Process Policy(CreateProcess Banned)
- JIT Engine Seperation(JIT Process Seperated)
rce as normal user with medium integrity, you need:
(1). Find a way to do RCE.
(2). From ChildAP to ManagerAP
(3). From ManagerAP to normaluser( this challenge in)
AppManager.exe:
Implements a RPCServer with RPCVersion 1.0
1. CopyAppFile(void *h1, wchar_t *destpath, wchar_t *srcpath)
2. SetUpApp(void *h1, configer *configops, wchar_t *configfile)
3. RunApp(void *h1, wchar_t *target, configer *configops, runmode *rmode)
Copy a file from user-specified srcpath to file under:
C:\Users\11236\AppData\Local\Packages\nese.bleedingedge_8wekyb3d8bbwe\AC\Temp
to trigger this RPC:
(1). you must be MicrosoftEdge
(2). srcpath is accessed with ImpersonationClient
2 SetUpApp:
Copy a config file from user-specified srcpath to file under:
C:\Users\11236\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp
to trigger this RPC:
(1). you must not be MicrosoftEdge
(2). srcpath must under:
C:\Users\11236\AppData\Local\Packages\nese.bleedingedge_8wekyb3d8bbwe\AC\Temp
3 RunApp
(1) Specify a dll to load
(2) Check If you are MicrosoftEdge, you can invoke LoadLibrary.
So what you can do with all things above:
(1). Create an AppContainer with default Privilege(which is very low)
(2). Upload an exe or dll or whatever with limited size.
(3). CreateProcess within the Created Appcontainer
(4). CreateProcess with MicrosoftEdge's token
(5). Rpc Reverse and then interact with AppManagerSvc
Exploit
(1). CreateAppcontainer A
(2). Upload Signed "calc.exe"
(3). Upload Real Payload
(4). Trigger RPC, move the calc.exe into NeSE's AppContainer Folder
(5). Trigger RPC, move the calc.exe into Edge's AppContainer Folder
(6). Trigger RPC, move Real Payload into Edge's AppContainer Folder and rename it as System DLL's name
(7). Make a Process with MicrosoftEdge's token, let it run
"calc.exe" under Edge's AppContainer Folder.
(8). calc.exe load payload DLL hijack done.
(9). Payload Then Trigger RPC, Request RPCServer to load an malicious DLL to reverse binding a shell and then read flag under C:\flag.txt.
Alittle think: How to Bypass Microsoft Code Integrity Check with ACG and CIG>
(1). ROP(2). Load a TRUSTED Image, which will load other images without Code Integrity Check, then perform DLL hijack.
(3) Abuse JS Engine to get RCE in JIT Process.(ProjectZeroBlog)
Shaby!!!!!!Give EXP, Please.
回复删除