Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities

VANCOUVER -- Using three different vulnerabilities and clever exploitation techniques, Irish security researcher Stephen Fewer successfully hacked into a 64-bit Windows 7 (SP1) running Internet Explorer 8 to win this year's CanSecWest hacker challenge.

Fewer (right), a Metasploit developer who specializes in writing Windows exploits, used two different zero-day bugs in IE to get reliable code execution and then chained a third vulnerability to jump out of the IE Protected Mode sandbox.

The attack successfully bypassed DEP (data execution prevention) and ASLR (address space layout randomization), two key protection mechanisms built into the newest versions of Windows.

"I had to chain multiple vulnerabilities to get it to work reliably," Fewer said in an interview.

[ SEE: Safari/MacBook first to fall at Pwn2Own 2011 ]

Technical details of the flaws will be kept under wraps until Microsoft releases a patch.  TippingPoint ZDI, the contest sponsors, own the exclusive rights to the vulnerability information.

For his efforts, Fewer won a $15,000 cash prize and a new Windows laptop.

Fewer said it took about five to six weeks to find the vulnerabilities and write a reliable exploit.  "Writing the exploit was the tricky part.  It was very time consuming, especially bypassing protected mode," he added.

During the contest, he set up a special web page with a link.  Using the target machine, he clicked on a link and immediately launched the calculator app (calc.exe).  He was also required to write to a file to prove that he got out of the low integrity mode.   This proved that he got full user access to the hijacked machine.

[ SEE: Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches ]

Fewer said the new mitigation technologies being built into modern browsers make it "incrementally difficult" to exploit but insisted that a motivated attacker with enough resources will eventually find a way to write a reliable exploit.

"If you spend long enough looking for bugs, you'll always find something," he added.

Peter Vreugdenhil, a security researcher at HP TippingPoint, described Fewer's exploit as "pretty impressive" because of the Protected Mode bypass.

Vreugdenhil, who won last year's contest with a successful hack of Internet Explorer, said Protected Mode was not trivial to bypass, noting that there is only one publicly documented way to do it.  Fewer's exploit used a brand-new technique to bypass Protected Mode.

Researchers from French pen-testing company VUPEN were also on hand with a fully tested exploit for IE8.