Microsoft Bounty Winner Finds Payoff Outside Comfort Zone

James Forshaw generally prefers finding bugs in code logic than memory corruption issues, but he admits he was incentivized by Microsoft’s $100,000 mitigation-bypass bounty.

Give James Forshaw a good logic bug over a memory-corruption vulnerability any day of the week.

The British researcher says he would rather manipulate weaknesses in code to climb out of an application sandbox than turn a fuzzer against a piece of software and spot a memory leak. But incentivized by Microsoft’s recent announcement that it was offering serious money for novel mitigation-bypass techniques, the temptation was too great for Forshaw to pass up.

The payoff came on Tuesday when after six weeks of research and tweaking exploit code, Forshaw was awarded $100,000 for as-of-yet unnamed bypass of Windows memory protections. The majority of the money, along with a similar $9,400 Internet Explorer bounty paid out on Monday, will go to Forshaw’s employee Context Information Security of London to fund the security research team there.

“[Microsoft] has pretty much banned me from specifying any detail,” Forshaw said. “What I can share is that it’s a bypass for a number of platform mitigations that allows you to get code execution without troubling DEP or ASLR.”

Data Execution Prevention and Address Space Layout Randomization are exploit mitigations native to Windows, and other operating systems, that are supposed to prevent code from executing in areas of memory where it should not. Numerous exploits, including a recent Internet Explorer zero day, have been able to defeat or sidestep both mitigations, but that doesn’t mean it’s not a challenge to researchers and hackers alike.

“So I have written exploits that go after these sorts of technologies in the past; there are different ways of defeating ASLR and DEP to get information leaks or get DLLs to work that are not ASLR-enabled (such as the IE zero day managed),” Forshaw said. “But I’m more of a logic bug finder than memory corruption.”

Earlier this year at Pwn2Own, Forshaw cashed in with a Java exploit for a vulnerability in a trusted class in the Java framework that allowed him to bypass the sandbox and execute code remotely. That Java bug was patched in April with the release of Java 7u21 and the researcher explained in a blogpost shortly thereafter that his code allowed him to disable the security manager in Java and run malicious code as trusted.

Microsoft engineer Thomas Garnier also found a similar attack as the one submitted by Forshaw, but Microsoft senior security strategist Katie Moussouris said Forshaw’s entry was worthy of a full payout, the first since the bounty was announced.

“Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty,” Moussouris said.

Forshaw said he spent three weeks doing research related to his bypass.

“Once I came up with something I felt was viable, I submitted it and learned two weeks ago Microsoft had accepted the entry,” Forshaw said. “I think I was sort of about 50 percent it was going to be accepted. There were a few things which it wasn’t clear from the rules whether it would meet their bar. There are seven criteria to meet, and I felt met them all, but it was a bit of a tense time.”

According to Microsoft, bypass submissions must demonstrate a novel way of exploiting a remote code execution vulnerability in Windows and must be capable of exploiting an application that makes use of stack- and heap-corruption mitigations as well as code-execution mitigations. The bypass must also meet seven criteria: it must be generic in that it’s applicable to more than one memory corruption vulnerability; the exploit must be reliable and have reasonable requirements; it must be applicable to a high-risk application such as a browser or document reader; it must be applicable to user mode applications; it must also target the latest version of a Microsoft product; and it must be novel, Microsoft said.

“It was the aspect of novelty I was worried about,” Forshaw said. “I couldn’t say for certain no one had ever used it before. I did my due diligence on my technique to see whether it had been published or used in anger before. I couldn’t find anything.”

While winning more than $100,000 this week may keep the accountants at Context smiling, Forshaw also took satisfaction in knowing he was on a similar track as a Microsoft engineer intimate with Windows code.

“There are quite clever people at Microsoft actively looking at these things. Beating them is quite a challenge,” Forshaw said, adding he much prefers these types of defensive-oriented competitions. “I think it’s certainly an interesting approach to take, focusing more on the defensive than offensive side. Only Microsoft is in position to do that; Google might be able to as well with the Chrome OS. Microsoft is wise to choose this approach versus an all-out free-for-all to find bugs.”

Image courtesy Nick Ares

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.