Wednesday, March 24, 2010

Windows 7 And IE8 Fall At Pwn2Own

So far the hackers are three for three at Pwn2Own, with the ZDI now confirming that Windows 7 and Internet Explorer 8 have fallen.

@thezdi Peter Vreugdenhil (@WTFuzz) succeeded against Internet Explorer 8 on Windows 7 with a technically impressive exploit bypassing DEP.

It'll be interesting to see if the rest of the smartphones the, RIM Blackberry Bold 9700, Nokia E72 device running Symbian and HTC Nexus One running Android as well as the two browsers Google Chrome 4 and Mozilla Firefox 3 can withstand the onslaught.

Update: Via Threat Post
Dutch hacker Peter Vreugdenhil pulled off an impressive CanSecWest Pwn2Own victory here, hacking into a fully patched 64-bit Windows 7 machine using a pair of Internet Explorer vulnerabilities.

Vreugdenhil, an independent researcher who specializes in finding and exploiting client-side vulnerabilities, used several tricks to bypass ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two significant security protections built into the Windows platform.

“I started with a bypass for ALSR which gave me the base address for one of the modules loaded into IE. I used that knowledge to do the DEP bypass,” he added.

Update: Via PCWorld

"[The exploit] reuses Microsoft's own code to disable DEP," said Vreugdenhil. "You can reuse Microsoft's own code to disable memory protection."

In a paper he published today ( download PDF ), Vreugdenhil spelled out how he evaded both ASLR and DEP in more detail.

"It was a two-step exploitation," Vreugdenhil said of the unusual attack. "I could have done it with one, but it would have taken too long." Using the double-exploit technique gave him control of the machine in a little over two minutes; if he had used only one exploit, the task would have required 50-60 minutes.

"I didn't know how much time I would have at Pwn2Own," he said, referring to the constraints of the contest, where hackers had limited time slots. And he didn't want to bore his audience. "I put some eye candy in the exploit," he said, referring to a progress bar he inserted that read "Please be patient while you are being exploited..."

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you