VANCOUVER, BC — Jumping through a series of anti-exploit roadblocks, Dutch hacker Peter Vreugdenhil pulled off an impressive CanSecWest Pwn2Own victory here, hacking into a fully patched 64-bit Windows 7 machine using a pair of Internet Explorer vulnerabilities.
Vreugdenhil, an independent researcher who specializes in finding and exploiting client-side vulnerabilities, used several tricks to bypass ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two significant security protections built into the Windows platform.
[ ALSO SEE: Pwn2Own MacBook attack: Charlie Miller hacks Safari again ]
“I started with a bypass for ALSR which gave me the base address for one of the modules loaded into IE. I used that knowledge to do the DEP bypass,” he added.
Vreugdenhil, who won a $10,000 cash prize and a new Windows machine, said he uses fuzzing techniques to find software vulnerabilities. “I specifically looking through my fuzzing logs for a bug like this because I could use it to do the ASLR bypass, he said.
After finding the IE 8 vulnerability, Vreugdenhil said it took about two weeks to write an exploit to get around the ASLR+DEP mitigations.
[ ALSO SEE: Pwn2Own 2010: iPhone hacked, SMS database hijacked ]
Members of Microsoft’s IE team were on hand to witness Vreugdenhil’s exploit. A company spokesman said they were not yet aware of the details of the vulnerability but will activate its security response process once the information is collected from the contest organizers.
TippingPoint Zero Day Initiative (ZDI), the company sponsoring the hacker challenge, is expected to send the flaw details to all the affected vendors on Friday March 26, 2010.
* More to come…
