谢谢你提供的资料~~
不过从下面的介绍中,我倒觉得不是一个直接的提权漏洞,是ie8保护模式的一个bug吧
关键词: IE加载untrusted的文件 会将进程的完整性级别标识为 Medium 级别,然后就绕过了保护模式,可以读写文件了
所以这里的关键应该是这个untrusted的文件是怎么来的, 自己生成的?? 怎么生成?
http://www.zerodayinitiative.com/advisories/ZDI-11-249/
This vulnerability allows remote attackers to escape Protected Mode on vulnerable installations of Internet Explorer.
Internet Explorer Protected Mode consists of a Medium Integrity and a Low Integrity process.
The Low Integrity process is only allowed to write to special Low Integrity locations.
File written there are marked as Low Integrity files. When a new Internet Explorer process is
launched it checks the Integrity of the file it is launched against. If the file is a Low Integrity
file it will run the process in Low Integrity Mode. It is however possible to give the file an even
lower permission: Untrusted, since this does not match the check for 'Low Integrity'
the Internet Explorer will run in Medium Integrity instead of Low Integrity.
This can be abused in an exploit to bypass the Protected Mode design
and thus allow an attacker to escalate their privileges.