Digging for IE11 Sandbox Escapes

Presented at Black Hat USA 2014, Aug. 6, 2014, 10:15 a.m. (150 minutes)

In June 2013, Microsoft started the first of their new bug-bounty programs, focusing on finding vulnerabilities in IE11 on the upcoming Windows 8.1 OS. Rather than spending my time fuzzing for RCEs, I focused on pure logic bugs and the best place to find them was in the sandbox implementation. As IE11 defaults to using Microsoft's new Enhanced Protected Mode (EPM) sandbox that repurposes Windows 8's App Container mechanism to more heavily restrict access to securable resources, it would seem to be a tough challenge, but it turned out not to be the case. This workshop will contain a deep-dive into the 4 sandbox escapes I discovered during the 30-day bug bounty period, some which have been present since Vista and IE7. I'll run through the process I undertook to find these vulnerabilities, giving time to go in-depth on how to investigate the IE11 sandbox, run your own code and analyze the attack surface. Sample source code for all issues will be provided for use to allow you to test the issues out yourself. In order to participate in the workshop, an installation of Windows 8.1 RTM will be required along with common tools such as Visual Studio 2013 and IDA Pro to analyze and develop the sandbox escape examples.

Presenters:

• James Forshaw - Context Information Security
  James is the Head of Vulnerability Research at Context Information Security in the UK. He has been involved with computer hardware and software security for over 10 years with a skill set which covers the bread and butter of the security industry such as application testing, through to more bespoke product assessment, vulnerability analysis, and exploitation. He has numerous public vulnerability disclosures in many different products including web browser issues and virtual machine breakouts as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences in the past, on a range of different topics at Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate. He is also the developer of the free CANAPE networking analysis and exploitation tool.

Links:

• https://www.blackhat.com/us-14/archives.html#digging-for-ie11-sandbox-escapes
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2014/video/Digging for IE11 Sandbox Escapes Part 1.mp4 (1 of 2)
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2014/video/Digging for IE11 Sandbox Escapes Part 2.mp4 (2 of 2)
• https://www.youtube.com/watch?v=HdB3Ozsgsao
• https://www.youtube.com/watch?v=q9dnYno_Moc
• https://www.blackhat.com/docs/us-14/materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes.pdf
• https://www.blackhat.com/docs/us-14/materials/us-14-Forshaw-Digging-For-IE11-Sandbox-Escapes-Tool.zip

Similar Presentations:

• DEF CON 24 (2016) / Escaping The Sandbox By Not Breaking It
• Black Hat USA 2012 / Digging Deep Into The Flash Sandboxes
• DEF CON 26 (2018) / Fasten your seatbelts: We are escaping iOS 11 sandbox!