Details are about to emerge about a zero-day remote code execution vulnerability in the Microsoft Edge web browser, as two researchers plan to reveal a proof-of-concept and publish a general write up. Microsoft has not been told the details of this vulnerability.
A tweet on November 1 announced that Microsoft Edge had been compromised once more. The proof was an image with the web browser that appeared to launch the popular Windows Calculator app.
Exploit developer Yushi Liang informed his followers that the objective was to escape the browser sandbox and that he had teamed up with Alexander Kochkov to work on achieving it.
— Yushi Liang (@Yux1xi) November 2, 2018
The efforts of the two experts were hampered by a “crash bug in the text editor” Liang was using to write the exploit code.
In a conversation with BleepingComputer, Liang said that they were focusing on developing a stable exploit and attaining full sandbox escaping of the code. The duo was also looking for a method to escalate execution privileges to SYSTEM, which would be the equivalent of taking complete control of the machine.
The expert found the zero-day bug with the help of the Wadi Fuzzer utility from SensePost. He told us that he has already created the PoC (demo available below) code that validated his findings.
Payouts for an Edge RCE exploit
The market for 0days is robust and there are plenty of exploit brokers ready to offer attractive compensation to developers of fresh penetration code targeting web browsers.
Zerodium pays $50,000 for a remote code execution (RCE) 0day exploit in Edge and doubles the payout for when sandbox escaping is achieved.
Coseinc’s Pwnorama payout program offers up to $30,000 for a previously undisclosed RCE exploit in Microsoft’s browser and increases the reward up to $80,000 if it is accompanied by local privilege escalation.
Vulnerability brokers are not the only ones offering juicy payouts for exploits. This year’s edition of the Pwn2Own computer hacking contest Trend Micro’s ZeroDay Initiative program offered $60,000 for a sandbox escape exploit for Microsoft Edge.
Liang’s web browser exploits
Zero-days in web browsers seem to have captured Liang’s focus lately as the developer recently wrote an exploit chain that achieved RCE on Firefox that took advantage of three bugs.
The developer said that this proved to be a difficult task to wrap because of a third bug that required more work to get to obtain the coveted result.
#Firefox RCE 3 bugs used in exploit chain + UAF! Happy to finish 🙂
— Yushi Liang (@Yux1xi) October 25, 2018
In another recent project, Liang set sight on Chromium browser where he was able to achieve code execution without sandbox escape, a task he relayed to a friend of his.
Finally did it 🙂 pic.twitter.com/Ae6f6GLylO
— Yushi Liang (@Yux1xi) October 30, 2018
To show that his PoC works, Liang shared with BleepingComputer the video below. To add a fun twist, the developer made Edge launch Mozilla Firefox and load the download page for Google Chrome: