1. InfoconDB
  2. Black Hat
  3. Black Hat Asia 2017
  4. Cross the Wall - Bypass All Modern Mitigations of Microsoft Edge

Cross the Wall - Bypass All Modern Mitigations of Microsoft Edge

Presented at Black Hat Asia 2017, March 30, 2017, 2:15 p.m. (60 minutes)

<p>Address Space Layout Randomization(ASLR) and Data Execution Prevention (DEP) and Control Flow Guard (CFG) are default exploit mitigations technique on Windows 10 platform. ASLR and DEP and CFG mitigation significantly increases the difficulty of exploit. In Windows 10, even if you have the ability to arbitrarily address read/write, you still need to find ways to bypass CFG mitigation.</p><p>This talk will be divided into two parts. The first part will introduce a new method to bypass CFG and DEP mitigations; it uses the Edge Shim’s dark side to bypass CFG and DEP, get arbitrary code execution with no ROP. This method got the Microsoft Mitigation Bypass Bounty and have the following advantages:</p><ul><li>No need ROP to exploit</li><li>The stability of the exploit is good</li><li>Bypass the CFG and DEP at the same time</li></ul><br><p>The second part will discuss how to bypass ASLR. Dynamic language use garbage collect to management memory. According to whether the distinction between data and pointer, divided into conservative garbage collection and accurate garbage collection. Microsoft Browser Internet Explorer JavaScript engine jscript9 and Microsoft Edge JavaScript engine chakra, use the conservative mark-sweep garbage collection management memory. Using the conservative garbage collection weakness, we can bypass the ASLR mitigation with no vulnerability. This part consists of three aspects:</p><ul><li>The weakness of conservative garbage collection and How Microsoft do their improvement to defend this weakness</li><li>How to overcome Microsoft's improvement and use the weakness to exploit Internet Explorer and Microsoft Edge. Because the jscript9 engine and chakra engine have some different in the implemention.so the exploit method may be some different. And Microsoft Edge chakra engine is strong than Internet Explorer jscript9 engine, we will discuss how to overcome the difficult to exploit Microsoft Edge</li><li>Give three exploit demo. Microsoft Edge Exploit on windows 10, Internet Explorer Exploit on windows 7 and windows 10</li></ul>

Presenters:

  • Jack Tang - Sr. Staff Engineer-Developer, Trend Micro
    Jack Tang has 10 years of anti-malware solution development. He is familiar with Windows/Mac kernel technology, browser and document exploit. Jack has spoken at Black Hat and Hitcon security conference. He was MSRC Top 16 in 2016 and MSRC Top 34 in 2015. Jack is currently focusing on research about virtualization vulnerability and exploit.
  • Henry Li - Staff Engineer-Developer, Trend Micro
    Henry Li is a security researcher in Trend Micro CDC zero day discovery team. He has five years of experience in vulnerability & exploit research. He spoke at Hitcon security conference and won the Microsoft Mitigation Bypass Bounty in 2016 and was MSRC Top 17 in 2016.

Links:

Similar Presentations: