Presented at
Black Hat Europe 2015,
Unknown date/time
(Unknown duration).
When the rules for this year's Pwn2Own contest came out, there was only less than one month left for us to prepare for our Internet Explorer Exploit. It was not an easy task to pop up a calc on this year's IE target, where you need to conquer the 64-bit IE child process, the control flow guard (CFG) on windows 8.1 as well as the enhanced-protected mode (EPM) of IE11. This was the first time that 64-bit IE was used in the contest, which means more stronger ASLR that makes simple heap-spraying techinque does not work as it does on 32-bit process. Also on Windows 8.1, CFG is heavily used in user mode processes which makes it harder to transfer the execution-flow to our shellcode. And at last, we need to bypass the EPM sandbox without user interfaction and without re-starting/re-login the computer. We are glad that we finally made it, with two 0day vulnerabilities, which have already been patched by Microsfot in June 2015. In this presentation, we will describe (for the first time) the details of the two vulnerabilities we used to take down 64-bit IE in this year's Pwn2Own. By going through the poc exploit, we will show how we achieved ASLR & CFG bypass and remote code execution in 64-bit IE with a single uninitialized memory bug. And, we will also discuss the TOCTOU vulnerability we used to bypass IE's EPM sandbox to achieve elevation of privilege. Throughout the talk, we will describe several methods you may use to bypass exploit mitigtions (such as ASLR, CFG) on 64-bit IE, to achieve remote code execution with your memory corruption bug.
Presenters:
-
Yuki Chen
- Qihoo 360
Yuki Chen is the core member of 360Vulcan Team from 360 Safeguard offensive and defensive research group. In March of this year, the 360Vulcan Team successfully exploited 64-bit Internet Explorer with EPM enabled at Pwn2Own 2015 in Vancouver, Canada. Yuki Chen has over six years experience in the security industry and currently manages a team focused on vulnerability research at Qihoo 360. He is mostly interested in vulnerability hunting and analyzing and exploit development. He has discovered vulnerabilities in a wide range of products including browsers, Adobe flash/pdf, Java, and so on. He has spoken at several security conferences such as SysCan, Xcon and SysCan360.
-
Linan Hao
- Qihoo 360
Linan Hao (@holynop) is a security researcher from 360Vulcan Team (@360Vulcan). He used to be a Windows kernel developer and now focuses on vulnerability research. Linan Hao has four years experience in the security industry. His major interests are vulnerability hunting and exploiting and 0-day detection.
Links:
Similar Presentations: