Researcher chains three exploits to take down IE8 at Pwn2Own
Marks the first ever Pwn2Own escape from a browser sandbox
Computerworld - An Irish security researcher today said it took him six weeks to craft a three-exploit package that brought Microsoft's Internet Explorer 8 (IE8) to its knees at Pwn2Own Wednesday.
Independent researcher Stephen Fewer walked off with $15,000 and a Sony notebook yesterday after hacking IE8 on Windows 7 by exploiting three unpatched vulnerabilities in the operating system and browser.
"It was a challenge, especially engineering the exploit that escaped Protected Mode," said Fewer today, referring to the "sandbox" that isolates IE8 from the rest of the computer.
The sandbox, like the one baked into Google's Chrome, is designed to hold malicious code within the browser so that it can't leak into the operating system or system as a whole.
"I spent about six weeks finding the vulnerabilities and engineering the exploits," Fewer said. "Then I decided to give [Pwn2Own] a go, and bought a plane ticket."
Fewer is a first-time Pwn2Own contestant and winner. He has a one-man consulting firm called Harmony Security, and is a long-time contributor to both the Metasploit open-source penetration testing toolkit project, and to HP TippingPoint's Zero Day Initiative (ZDI) bug bounty program, which pays researchers for finding and reporting vulnerabilities. TippingPoint is the sponsor of Pwn2Own.
Fewer chained three exploits together to bring down IE8, a feat that Aaron Portnoy, manager of TippingPoint's security research team and Pwn2Own's organizer, called "impressive" yesterday.
Two of the three were necessary to craft a reliable attack that sidestepped ASLR, for "address space layout randomization," and DEP, or "data execution prevention," on Windows 7. ASLR and DEP are technologies baked into Microsoft's operating system designed to make it more difficult for exploits to reliably execute.
The third exploit leveraged yet another bug to jump out of the Protected Mode sandbox.
"That was pretty difficult," said Fewer, talking about the sandbox-escape exploit. "It took quite a while to engineer that, and then there was the time pressure of the contest."
By escaping Protected Mode, Fewer was able to gain complete control over the Sony laptop running Windows 7, a point he proved by adding a file to the machine, mimicking a cybercriminal's insertion of additional malware.
Fewer's hack of IE was the first ever at Pwn2Own to bust out of a browser sandbox. Although Chrome also boasts an anti-exploit sandbox, that browser has never been breached at Pwn2Own.
Yesterday, one expected Chrome contestant was a no-show, while a team slated to go second decided to focus instead on an attack against RIM's BlackBerry OS later today.
Although Fewer acknowledged he hasn't poked around Chrome, he didn't seem surprised that no one took on Google's browser yesterday. "Chrome's sandbox is fundamentally quite solid," he said.
Fewer made use of the work by Peter Vreugdenhil, last year's IE Pwn2Own winner, to build his multi-part package. "Peter's work was great, and I applied a few of his techniques," said Fewer.
Vreugdenhil, who now works for TippingPoint, chained two exploits last year to bypass Windows 7's ASLR and DEP.
The only other browser to fall Wednesday was Apple's Safari 5, which dropped to a team from French security company Vupen minutes before Fewer took his shot at IE8.
Not surprisingly, Fewer felt great about winning the $15,000. "I feel fantastic," he said today. "Everything here went very smoothly."
He plans to spend the cash prize to pay for his trip from the U.K. and on some home improvements.
Today's Pwn2Own schedule will pit researchers against Mozilla's Firefox -- that browser's turn was postponed to today after Wednesday's round started late -- and four smartphones running Apple's iOS, Google's Android, Microsoft's Windows Phone 7 and RIM's BlackBerry OS.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- iPhone, BlackBerry tumble to Pwn2Own hackers
- Researcher chains three exploits to take down IE8 at Pwn2Own
- Safari, IE hacked first at Pwn2Own
- Researcher blows $15K by reporting bug to Google
- Microsoft won't patch IE before Pwn2Own
- Apple to patch Safari before Pwn2Own, say researchers
- Mozilla follows Google, patches Firefox as prep for Pwn2Own
- Three-time Pwn2Own winner knocks hacking contest rules
- Familiar faces, new names step up at Pwn2Own hacking contest
- Update: Firefox update will patch CSRF bug, Mozilla says
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Who's afraid of the big (data) bad wolf? Survive the big data storm by getting ahead of integration and governance functional requirements This paper provides a detailed review of the best practices clients should consider before embarking on their big data integration projects.
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Cybercrime and Hacking White Papers | Webcasts