Exploit Flash Broker-Based - Sandbox Escape via Timing Attack Against File Moving

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
37842
Проверка EDB
  1. Пройдено
Автор
KEENTEAM
Тип уязвимости
REMOTE
Платформа
WINDOWS
CVE
cve-2015-3081
Дата публикации
2015-08-19
Flash Broker-Based - Sandbox Escape via Timing Attack Against File Moving
Код:
Source: https://code.google.com/p/google-security-research/issues/detail?id=280&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

FlashBroker - BrokerMoveFileEx TOCTOU IE PM Sandbox Escape

1. Windows 8.1 Internet Explorer Protected Mode Bypass in FlashBroker

FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions.

There is a race condition in FlashBroker BrokerMoveFileEx method. This race can be won by using an oplock to wait for the point where the BrokerMoveFileEx method opens the original file and then making destination to be a junction.

The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction.

2. Credit
Jihui Lu of KeenTeam (@K33nTeam) is credited for the vulnerability.

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37842.zip
 
Источник
www.exploit-db.com

Похожие темы