Pwn2Own 2012: IE 9 hacked with two 0day vulnerabilities

Pwn2Own 2012: IE 9 hacked with two 0day vulnerabilities

Summary: The code execution attack, which required no user action beyond browsing to a rigged web site, also works on Internet Explorer v10 (consumer preview) running on Windows 8.

SHARE:

VANCOUVER -- Microsoft's Internet Explorer 9 browser has fallen.

A team of French researchers exploited two different IE zero-day flaws to break into a fully patched Windows 7 SP1 machine and take an almost unassailable lead in this year's CanSecWest Pwn2Own competition.

The hacking team, from French security research outfit VUPEN, used an unpatched heap overflow bug to bypass DEP and ASLR and a separate memory corruption flaw to break out of the browser's Protected Mode sandbox.

follow Ryan Naraine on twitter

The code execution attack, which required no user action beyond browsing to a rigged web site, also works on Internet Explorer v10 (consumer preview) running on Windows 8.

VUPEN co-founder Chaouki Bekrar, who led his team's work hacking into two major browsers -- Chrome and IE9 -- said the Internet Explorer flaws went undetected for a very long time.

"This goes all the way back to IE 6.  It will work on IE 6 all the way to IE 10 on Windows 8," Bekrar said.

If they win the Pwn2Own challenge, which is likely based on their work popping Chrome and writing on-the-spot exploits for previously patched vulnerabilities, VUPEN will give up the rights to only one of the IE bugs.

"We're only giving up the heap overflow.  We will keep the Protected Mode bypass private for our customers," Bekrar said.

He said VUPEN used two researchers working for six weeks on a full-time basis to craft the IE 9 exploit for Pwn2Own.

"This one was difficult.  When you have to combine many vulnerabilities and bypass all  these protections, it takes a longer time," he said, noting that his team came to Vancouver with zero-day flaws for every browser on every operating system.

Explaining the two-stage IE 9 attack, Bekrar said the first vulnerability was used to execute first-stage shellcode.  "In this first-stage shellcode, we included a second exploit. [Then]  we move the code execution from low integrity level to medium integrity level and bypass the Protected Mode sandbox."

Bekrar said his team has found "many vulnerabilities in Protected Mode" that are all unpatched.  "We used a memory corruption vulnerability in the way Protected Mode is implemented but we have found many more vulnerabilities there."

He said VUPEN's motive for participating in Pwn2Own was to prove that a dedicated hacker can bypass all security protections, even on the newest operating systems.  "We want to show that we can."

Bekrar said his team has started work analyzing the IE 10 consumer preview and has found it much more difficult to exploit, due to new mitigations.  Microsoft has added protections to use-after-free and memory leaks but these mitigations come with a price.

"Exploitation is much harder and more time consuming," Bekrar said. "But, they make the prices for vulnerabilities and exploits go higher."

Representatives from Microsoft's security team were on hand to witness the IE 9 hack and they plan to activate their response process once they receive the vulnerability information from the Pwn2Own organizers.

ALSO SEE:

  • Pwn2Own 2012: Google Chrome browser sandbox first to fall
  • CanSecWest Pwnium: Google Chrome hacked with sandbox bypass
  • Charlie Miller skipping Pwn2Own as new rules change hacking game
  • CanSecWest Pwn2Own hacker challenge gets a $105,000 makeover
  • Topics: Browser, Microsoft, Security, Windows

    Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

    Talkback

    14 comments
    Log in or register to join the discussion
    • Possible why some have stayed away from Pwn2Own, the rules changed?

      Winner only gives up one of the exploits of 2 maybe more?

      ???We???re only giving up the heap overflow. ??We will keep the Protected Mode bypass private for our customers,??? Bekrar said.
      daikon
      • customers?

        Who is the customer? Selling the exploits to anyone other than Microsoft could potentially be criminal act.
        wmac1
        • VUPENs Customers

          I believe that many of these security companies get around that by providing the fixes or work around until the patches come out.
          daikon
    • I read somewhere that they werent allowe to bring exploits with them.

      Had to write them on the spot. Good to know that's not true.
      Johnny Vegas
    • Awesome

      Also one of the first times modern IE has been beaten in Pwn2Own, kudos! Too bad Charlie Miller can't compete for fear of lawsuits.
      Tea.Rollins
      • Modern IE? LOL

        How 'modern' can IE really be if flawed code from IE6, a browser introduced [i]way back in 2001[/i], can still be used to take down IE9 and IE10?

        This is precisely why I stopped using IE to browse the web. There's no such thing as 'new' when it comes to code coming from Microsoft. It's all just additional mitigations and minor GUI changes piled on top of decade-old code that was written at a time when security was merely an afterthought.
        eMJayy
        • "This is precisely why I stopped using IE to browse the web."

          Using Chrome now I suppose?

          Name a browser that HASN'T been hacked.
          IT_Fella
        • RE: "This is precisely why I stopped using IE to browse the web."

          [i]Name a browser that HASN'T been hacked.[/i]

          Opera has never been hacked at Pwn2Own. Just like Ubuntu/Firefox hasn't been hacked at Pwn2Own. And unlike Opera, Ubuntu/Firefox was actually included at Pwn2Own (2007-2008, if I remember correctly).

          Was it the LSM magic? Nope. Just disinterest from the Pwn2Own hackers (as with the malware miscreants). Running software with very low market share provides users with a measure of added safety. [Note: safety != security]
          Rabid Howler Monkey
        • not only IE

          "How 'modern' can IE really be if flawed code from IE6, a browser introduced way back in 2001"

          What about Firefox and its old code from Netscape?
          Rikkrdo
        • RE: not only IE

          Rikkrdo,

          The old Netscape code was tossed out by Mozilla when they first obtained the Netscape code. They wrote Firefox from scratch. Version 1.0 was released in November of 2004.
          benched42
    • Exploit is already in the wild

      Put the following search into google, and click on the top 3 links that show up, and your PC will be immediately infected.
      You'll need some kind of firewall to warn you when unknown processes access the internet, otherwise you won't see the infection.

      Google for: exchange webmail url

      I think it's either redalto or xiquest that's hosting this new virus. It's not detected by any scanners yet.

      Do a "dir /s" on your %appdata%/roaming folder and your IE temp files folder before visiting. The payload .EXE files appear there right after you load the web page.

      They're probably 100% random names - mine were wycuin.exe (the payload) and mor.exe (the loader)

      I *hate* the idiots who allowed this exploit info to go public before a patch is out - look how many millions of victims are now going to have to clean up their PCs!!!!
      anon-coward
      • No there anymore

        I made the test. Neither redalto or xiquest got any .exe in the mentioned folders. Usin Win7/IE9
        ckeledjian
      • Tested here also..

        Tested XP Sp2 /w IE7..
        No infection found on either site.
        Anthony E
    • p.s.

      p.s. judging from datestamps, it looks like it's going after certificates and password cache from your local PC, so don't visit those URLs from any PC with anything important in there.
      anon-coward