Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2018/
Deadline is 30th June 2018!

<< previous next >>

Unusual Windows Insider Preview Exploitation

James Lee

3 vote(s)

An unusual way to exploit Windows Insider Preview via an interesting binary in windows folder called HTML Help Executable; hh.exe.

First, we'll go through Windows Media Player Information Disclosure vulnerability that I triggered via hh.exe and its idea behind bypassing prompt to avoid user interaction.

Second, The interesting trick that allows you to escape from Microsoft Edge's AppContainer Sandbox. hh.exe has an embedded feature inside - which is EPM disabled Medium IL Internet Explorer 11.

Similarly, there are several interesting extensions which opens an Internet Explorer 11 as Medium IL without EPM while you are on Internet Zone and this file automatically runs without user interaction when you visited a specially crafted page via Microsoft Edge. We'll go through about this bahavior and my own way to exploit this vulnerability.

Third, We'll go through Multiple vulnerability cases that I found in hh.exe. It contains multiple Remote Code Execution vulnerability in hh.exe which is UMCI/Device Guard bypasses that allows you to execute Trusted signed code/binary from unsigned code/binary.

Finally, I'll show a demo of Firefox browser Remote Code Execution + Windows Elevation of Privilege exploit to achieve SYSTEM-level Code Execution on Windows 10 Operating System.


I started to tinkering around with Security Vulnerability since age 16. About a year later I discovered multiple vulnerabilities that lead to Remote Code Execution on Google Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer. I also discover Local Privilege Escalation on Windows OS and occasionally find other design vulnerabilities like Information disclosure, Universal XSS too. Now I'm 19 years old Security researcher who mostly focus on discovering RCE on Windows based browser and LPE on Windows OS to develop Full-chain SYSTEM code execution exploit.