This year Andy and I were finally able to take part in the Pwn2Own contest during the CanSecWest conference in Vancouver. We won the Internet Explorer 11 competition by compromising a fully-patched Windows 8.1 (x64) system.
For successful exploitation we abused three distinct vulnerabilities:
- Two Internet Explorer 11 Use-After-Frees which evaded ASLR/DEP and gave us userland code execution
- One Windows Kernel vulnerability to escape the Internet Explorer sandbox and execute code with SYSTEM privileges.
The vulnerabilities have been patched in the Microsoft Security Bulletins MS14-035, MS14-037 and MS14-040.
The vulnerability analysis, a detailed description of the exploitation process and the patch analysis can be downloaded HERE.
Hopefully see you at next year's Pwn2Own! :)