The same bug that earned one researcher $50,000 from Microsoft also earned another researcher $100,000.
Tencent researcher Yang Yu, the finder of the so-called BadTunnel bug that Microsoft patched last month wasn’t the only one rewarded for reporting the issue. Moritz Jodeit, a researcher with German security firm, Blue Frost Security, picked up $100,000.
BadTunnel was notable since it affected every version of Microsoft's operating system back to Windows 95. But while Yu's find had a wide impact, Jodeit used the same bug to to bypass many of the latest technologies Microsoft employs to prevent exploits from working,which could also have implications for its latest and most secure browser, Edge for Windows 10.
Jodeit has previously sketched a rough outline of the bug and confirmed he had received the highest reward available under Microsoft’s Mitigation Bypass Bounty. However, he drew attention to the bug in a tweet today since it was recently confirmed he will present his work at the Hack in the Box conference in Singapore this August.
Jodeit provides a slightly more detailed account of the vulnerability here, and highlights the numerous defences in Internet Explorer 11 he had to bypass to gain remote code execution, giving him complete control over the computer.
The researcher notes that while his exploit wasn’t for Edge, it does share common protections in Internet Explorer 11.
Some of these exploit mitigations in both Edge and Internet Explorer 11 include Address Space Layout Randomisation, Data Execution Prevention, and Control Flow Guard.
“If you managed to bypass all of these and you successfully turned your bug(s) into remote code execution, you are trapped inside a sandbox which needs to be escaped,” Jodeit notes.
He will detail how he bypassed these mitigations and discuss the exploit he created to bypass the latest version of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) 5.5.
“We'll present all the techniques which we used to write a stable exploit for IE 11 (64-bit) running on Windows 10 including an Enhanced Protected Mode (EPM) sandbox escape and a generic way to bypass the latest version of EMET 5.5 as well,” he wrote.
The researcher says he found an initial vulnerability in the JavaScript implementation of Internet Explorer 11, which he turned into a “full memory read/write primitive by exploiting IE's custom heap allocator.”
“Subsequently we'll present a technique we used to bypass Control Flow Guard (CFG) to gain initial code execution within the sandbox. We'll talk about our line of thought (and some failures) when trying to find a way to escape the EPM sandbox and finally present a purely logic-based vulnerability which successfully allowed us to escape the sandbox. Lastly we'll show a generic way which enabled us to successfully bypass the latest version EMET within our exploit.”
The researcher’s talk will be on August 26, at the Hack in the Box conference in Singapore.