The same team from VUPEN that took down Google Chrome on Wednesday has succeeded in compromising Internet Explorer 9 on Windows 7, using two separate bugs. The success at the Pwn2Own contest was the result of a heap overflow bug in IE as well as a separate bug in the browser’s protected mode.
The heap overflow vulnerability exists in many versions of IE, from version 6 through IE 10, which is in consumer preview right now. Chaouki Bekrar of VUPEN said that the compromise of IE was quite challenging and that it took two of his team members about six weeks of work to find the bugs and make the exploits work.
The bug that enabled the team to break out of IE’s protected mode–which is analogous to the sandbox in Google Chrome–is a memory corruption flaw in protected mode itself. As part of the Pwn2Own contest rules, VUPEN will turn over the heap overflow details to TippingPoint, which runs the contest, and they will then pass the information on to Microsoft. The protected mode bypass, however, will stay in VUPEN’s hands.
The VUPEN team has a large lead in the Pwn2Own contest, after compromising Chrome and IE, as well as writing exploits for several of the public vulnerabilities that TippingPoint handed out at the beginning of the competition. However, another team comprising two former winners, Vincenzo Iozzo and Willem Pinckaers, also has entered the contest. Still, Bekrar said his team didn’t necessarily need to use the IE bugs.
“We dropped it because we could,” he said.
The heap overflow bug that VUPEN used to compromise IE enabled the team to get into the browser’s low-integrity area and then they used the memory-corruption flaw in protected mode to get into the high-integrity area.
“The Chrome sandbox is much harder to escape for us, because we have the bug in protected mode,” Bekrar said.
The IE bugs enabled the team to bypass ASLR and DEP on Windows, and although the bug also works on IE 10 on Windows 8, Bekrar said that what he’s seen of the forthcoming version of the browser, it will be more difficult to exploit.
“IE 10 is more complicated to exploit because they’ve added some protections to make it harder to use memory leaks and use-after-free bugs,” he said. “I think that will make the prizes [in Pwn2Own] go higher.”