FlashBroker - Junction Check Bypass With Forward Slash IE PM Sandbox Escape
1. Windows 8.1 Internet Explorer Protected Mode Bypass in FlashBroker
FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions.
There is a bad check in FlashBroker BrokerCreateFile method and BrokerMoveFileEx method. FlashBroker only considers "\" as delimiter. If the destination includes "/", FlashBroker will use a wrong destination folder for check.
The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 188.8.131.525 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction.
Jietao Yang of KeenTeam (@K33nTeam) is credited for the vulnerability.
Proof of Concept: