DIGGING FOR IE11 SANDBOX ESCAPES presented at BlackHatUS 2014

by James Forshaw,

Summary : In June 2013, Microsoft started the first of their new bug-bounty programs, focusing on finding vulnerabilities in IE11 on the upcoming Windows 8.1 OS. Rather than spending my time fuzzing for RCEs, I focused on pure logic bugs and the best place to find them was in the sandbox implementation. As IE11 defaults to using Microsoft's new Enhanced Protected Mode (EPM) sandbox that repurposes Windows 8's App Container mechanism to more heavily restrict access to securable resources, it would seem to be a tough challenge, but it turned out not to be the case.
This workshop will contain a deep-dive into the 4 sandbox escapes I discovered during the 30-day bug bounty period, some which have been present since Vista and IE7. I'll run through the process I undertook to find these vulnerabilities, giving time to go in-depth on how to investigate the IE11 sandbox, run your own code and analyze the attack surface. Sample source code for all issues will be provided for use to allow you to test the issues out yourself.
In order to participate in the workshop, an installation of Windows 8.1 RTM will be required along with common tools such as Visual Studio 2013 and IDA Pro to analyze and develop the sandbox escape examples.