Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities

Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities

Summary: Using three different vulnerabilities and clever exploitation techniques, Irish security researcher Stephen Fewer successfully hacked into a 64-bit Windows 7 (SP1) running Internet Explorer 8 to win this year's CanSecWest hacker challenge.

SHARE:

VANCOUVER -- Using three different vulnerabilities and clever exploitation techniques, Irish security researcher Stephen Fewer successfully hacked into a 64-bit Windows 7 (SP1) running Internet Explorer 8 to win this year's CanSecWest hacker challenge.

Fewer (right), a Metasploit developer who specializes in writing Windows exploits, used two different zero-day bugs in IE to get reliable code execution and then chained a third vulnerability to jump out of the IE Protected Mode sandbox.

The attack successfully bypassed DEP (data execution prevention) and ASLR (address space layout randomization), two key protection mechanisms built into the newest versions of Windows.

"I had to chain multiple vulnerabilities to get it to work reliably," Fewer said in an interview.

[ SEE: Safari/MacBook first to fall at Pwn2Own 2011 ]follow Ryan Naraine on twitter

Technical details of the flaws will be kept under wraps until Microsoft releases a patch.  TippingPoint ZDI, the contest sponsors, own the exclusive rights to the vulnerability information.

For his efforts, Fewer won a $15,000 cash prize and a new Windows laptop.

Fewer said it took about five to six weeks to find the vulnerabilities and write a reliable exploit.  "Writing the exploit was the tricky part.  It was very time consuming, especially bypassing protected mode," he added.

During the contest, he set up a special web page with a link.  Using the target machine, he clicked on a link and immediately launched the calculator app (calc.exe).  He was also required to write to a file to prove that he got out of the low integrity mode.   This proved that he got full user access to the hijacked machine.

[ SEE: Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches ]

Fewer said the new mitigation technologies being built into modern browsers make it "incrementally difficult" to exploit but insisted that a motivated attacker with enough resources will eventually find a way to write a reliable exploit.

"If you spend long enough looking for bugs, you'll always find something," he added.

Peter Vreugdenhil, a security researcher at HP TippingPoint, described Fewer's exploit as "pretty impressive" because of the Protected Mode bypass.

Vreugdenhil, who won last year's contest with a successful hack of Internet Explorer, said Protected Mode was not trivial to bypass, noting that there is only one publicly documented way to do it.  Fewer's exploit used a brand-new technique to bypass Protected Mode.

Researchers from French pen-testing company VUPEN were also on hand with a fully tested exploit for IE8.

Topics: Operating Systems, Microsoft, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

104 comments
Log in or register to join the discussion
  • RE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities

    That is pretty darn good security from Microsoft if it took him 3 different exploits just to get escalated privileges. I love how even the security researches are saying just how hard it is to pull off such a feat.
    Loverock Davidson
    • And it took him a whole 6 weeks to do it

      I, for one, am impressed;-)
      Richard Flude
      • RE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities

        @Richard Flude
        it didnt take him 6 weeks to do it. It took 6 weeks to find the vulnerabilities. Just like when you do a pen test, you take time to see the picture as a whole, then you crack the nut.
        tiderulz
      • I was not impressed that it took only 2 weeks to hack a Mac

        @Richard Flude
        I assumed it would take less, but even Apple is starting to understand security.
        Now if they would only take it seriously.
        Will Farrell
      • RE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities

        @Will Farrell
        6 weeks for 1 lone person to crack Windows 'security' but
        2 weeks for 3 people to crack a Mac
        This seems to be about the same to me. Team-work can be faster with people to bounce ideas off and for brain-storming. Usually people have slightly different expertise which fluid-team-work can make use of and competition can be highly motivating. But then i guess there are advantages to being a lone wolf too. So
        2 x 3 = 6 imo, usually anyway.
        Regards from Tom :)
        Tom6
      • RE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities

        @Tom6

        Not really when IE required 3 exploits which would equal out to 6 week per exploit per person.

        The Mac only required 1 exploit and all you have to do is visit the site, no clicking on a link involved as with the IE exploit.
        SmokinBiz
    • RE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities

      @Loverock Davidson

      Good spin!
      kenosha77a
    • IE and Windows 7 Shot down in Minutes! haha....

      @Loverock Davidson ,,,, thieves will always go after the little old ladies and easy marks first, then brag about how hard it was to yank the handbag away from her and how difficult it was to turn the door knob of an unlocked door to get in to rob you blind. That's why nobody even bothers trying to break into a SELINUX Impenetrable Fortress! lol..... :D

      These Hackathons are just to show how amateur and lax Microsoft is at Security! .....always leaving a backdoor for themselves into your computers!!! haha..... thieves always fear thieves the most!!! lol...
      Monarky
    • RE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities

      @Loverock Davidson

      The bottom line is that he succeeded, which means other people who'd like a wee bit more than a $15,000 payoff could also succeed.
      AndyPagin
    • That's pretty bad security...

      @Loverock Davidson
      if there were 3 exploits available for him to use to get escalated privileges. It's hard to be the first to pull off a feat like this. Once it's done, copy/paste makes duplicating it pretty easy.
      jasonp@...
    • Nothing new here

      Even Loverock Davidson's [i]Flagged[/i] FUD is still the same.
      LTV10
      • RE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities

        @LTV10

        As is yours.
        Hallowed are the Ori
      • Message has been deleted.

        LTV10
      • lol...

        It took you over a week to get that one deleted, didn't 'o dewy-eyed one...

        more lol...
        LTV10
    • RE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities

      Plus if you close you eyes, click your heels and repeat "I'm not in Kansas anymore" the hack goes away. So it took one person two weeks, or 5 weeks ... a team of 10 hackers in China could do it in a day. Getting hacked is like getting pregnant. It doesn't matter how long it took, it just matters that it happened and how you have to live with it.
      john_gillespie@...
  • The MCSEs were saying;-)

    Owned at the same stage as Mac OS X & Safari. No surprise really.

    How's Google's Chrome holding up?
    Richard Flude
    • RE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities

      @Richard Flude
      No surprise. Mac OS X has almost no security and rely mostly on smaller market share to stay safe.
      illegaloperation
      • RE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities

        @day2die
        And yet Windows fell <b>immediately</B>. So what does that honestly say about Windows security?
        Rick_K
      • RE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities

        @day2die
        Based on the results from the Mac OS X / Safari hack, I don't see Apple doing good neither,
        "Bekrar?s winning exploit did not even crash the browser after exploitation. Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser."
        http://www.zdnet.com/blog/security/safarimacbook-first-to-fall-at-pwn2own-2011/8358
        dvm
      • RE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities

        @Rick_K<br>And this is why:<br>"Bekrar said the Safari exploit was somewhat difficult because of the lack of documentation regarding 64-bit Mac OS X exploitation."
        illegaloperation