The latest version of Internet Explorer 11 running on Windows 10 comes with a plethora of exploit mitigations which try to put a spoke in an attacker’s wheel. Although Microsoft just recently introduced their new flag ship browser Edge, when it comes to exploit mitigations many of the mitigations found in Edge are also present in the latest version of Internet Explorer 11. The goal of these mitigations is to make exploit development as hard and costly as possible. Some mitigations which usually need to be overcome are ASLR, DEP, CFG, Isolated Heap and Memory Protector to just name a few. If you managed to bypass all of these and you successfully turned your bug(s) into remote code execution, you are trapped inside a sandbox which needs to be escaped. This might require even more bugs and in the case of a kernel vulnerability you are confronted with all the kernel exploit mitigations such as Kernel DEP, KASLR, SMEP, NULL Pointer Dereference Protection and so on. If you then aim for an exploit which continues working under the presence of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) things get even more interesting.
Although all of this can make the exploit development process really tough, with the right vulnerability at hand it’s still possible to develop working exploits without caring too much about most of these mitigations. This is particularly true if you don’t go the standard route of ROPing into your shellcode but reuse existing functionality inside the browser itself for remote code execution.
In this presentation we describe all the details about our submission to the Microsoft Mitigation Bypass Bounty program for which we were awarded the highest bounty payout of $100,000 USD. We’ll present all the techniques which we used to write a stable exploit for IE 11 (64-bit) running on Windows 10 including an Enhanced Protected Mode (EPM) sandbox escape and a generic way to bypass the latest version of EMET 5.5 as well.
We will start by talking about a vulnerability we identified in the JavaScript implementation of Internet Explorer 11 and see how we turned the initial vulnerability into a full memory read/write primitive by exploiting IE’s custom heap allocator. Subsequently we’ll present a technique we used to bypass Control Flow Guard (CFG) to gain initial code execution within the sandbox. We’ll talk about our line of thought (and some failures) when trying to find a way to escape the EPM sandbox and finally present a purely logic-based vulnerability which successfully allowed us to escape the sandbox. Lastly we’ll show a generic way which enabled us to successfully bypass the latest version EMET within our exploit.
No shellcode or ROP gadgets were used in the whole exploit. We’ll talk about the benefits of data-only attacks, take a quick look at how Microsoft fixed/mitigated the reported vulnerabilities and techniques and finally conclude with some future possibilities for similar attacks in IE 11 and other browsers.
