James Forshaw Presents at Hack In The Box - Amsterdam
In June 2013 Microsoft started the first of their new bug-bounty programs, focusing on finding vulnerabilities in IE11 on the upcoming Windows 8.1 OS. Rather than spending time time fuzzing for RCEs James instead focused on pure logic bugs and the best place to find them was in the sandbox implementation. As IE11 defaults to using Microsoft’s new Enhanced Protected Mode (EPM) sandbox that repurposes Windows 8’s App Container mechanism to more heavily restrict access to securable resources it would seem to be a tough challenge, but it turned out not to be the case.
James' presentation fully details 4 sandbox escapes he discovered during the 30 day bug bounty period, some which have been present since Vista and IE7. Each one is a different issue; none of them required any memory corruption or kernel vulnerabilities. He will also provides a bit of background about how he found these issues, how to start probing the IE sandbox attack surface and some interesting behavior in the way EPM is implemented which might lead to further vulnerabilities being discovered.
To preview the presentation please click here.