VANCOUVER, BC — Jumping through a series of anti-exploit roadblocks, Dutch hacker Peter Vreugdenhil pulled off an impressive CanSecWest Pwn2Own victory here, hacking into a fully patched 64-bit Windows 7 machine using a pair of Internet Explorer vulnerabilities.
Vreugdenhil, an independent researcher who specializes in finding and exploiting client-side vulnerabilities, used several tricks to bypass ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two significant security protections built into the Windows platform.
“I started with a bypass for ASLR which gave me the base address for one of the modules loaded into IE. I used that knowledge to do the DEP bypass,” he added.
Vreugdenhil, who won a $10,000 cash prize and a new Windows machine, said he uses fuzzing techniques to find software vulnerabilities. “I specifically looking through my fuzzing logs for a bug like this because I could use it to do the ASLR bypass, he said.
After finding the IE 8 vulnerability, Vreugdenhil said it took about two weeks to write an exploit to get around the ASLR+DEP mitigations.
Members of Microsoft’s IE team were on hand to witness Vreugdenhil’s exploit. A company spokesman said they were not yet aware of the details of the vulnerability but will activate its security response process once the information is collected from the contest organizers.
TippingPoint Zero Day Initiative (ZDI), the company sponsoring the hacker challenge, is expected to send the flaw details to all the affected vendors on Friday March 26, 2010.
