Pwn2Own Unicorn challenge should use IE 32-bit

05 Feb 2014

Update As Fermin J Serna pointed out, 64-bit IE is harder to exploit. My goal in this post was to show that EMET has diminishing returns for targets that are already well protected, so if the goal of the challenge is to exercise EMET, then 32-bit IE is a better target. Also, as Jonathan Ness pointed out, 64-bit IE does still use 32-bit processes for tabs on Windows 8.1 x64, unless special configuration steps are taken by the user, so he is seeking clarification from ZDI as to whether the process actually will be 64-bit that is exploited or not.

This year's Pwn2Own prize at CanSecWest features a Grand Prize of $150K for a "Unicorn Exploit" that works on the following:

SYSTEM-level code execution on Windows 8.1 x64 on Internet Explorer 11 x64 with EMET (Enhanced Mitigation Experience Toolkit) bypass

Another post on the site explains "The third and ultimate test for our contestants is to break through EMET protections and truly control the computer."

EMET is awesome, and I highly recommend everyone on Windows use it, but you get the most value out of EMET when you use it to secure an older OS running older software. When you use a more modern environment, you already get a lot of protections without EMET. Using the Pwn2Own Unicorn challenge as an example, here are the protections EMET offers and which of those you already have without EMET.

EMET ProtectionAdded security?Explanation
DEPNo64-bit processes have DEP enabled by default, and IE is compiled for DEP as well.
SEHOPNoSEHOP is not relevant to 64-bit processes.
ASLRNoIE 11 already has ASLR enabled.
Certificate PinningNoAccording to the EMET User Guide (page 17, table 6), Certificate Pinning does not work in Windows 8. I don't have a system to test with to confirm, but this wouldn't be a relevant protection for this competition anyway.
Null pageNoWindows 8 already protects the Null page
Heap sprayYesEMET will alloc 14 specific pages which are commonly used in heap sprays. However, these are commonly used in 32-bit heap sprays, not 64-bit. I'd also like to say heap sprays aren't as useful in 64-bit processes, but Ivan Fratric proved that wrong, and he did this for IE 11 64-bit on Win 8.1 (the same set-up this prize is for)! Someone buy that man a beer.
EAFYesWorks, but there are a couple of known ways of bypassing, see my paper EMET 4.1 Uncovered
Anti-Rop
  • LoadLib
  • MemProt
  • Caller
  • SimExecFlow
  • StackPivot
NoEMET does not apply any of the Anti-Rop protections to 64-bit processes.

Conclusion

The only protections EMET is adding for this challenge are the Heap Spray and EAF protections, which are by far the easiest of the protections to bypass. So the additional $50K for this challenge, over the $100K browser bounty for IE 11, is really for getting SYSTEM-level execution. This challenge would actually be more difficult if this was for IE 11 32-bit, because then you'd have to circumvent the Anti-ROP protections from EMET. There are known ways of circumventing these as well, but it's at least a little more challenging.

Greetz to @InsanityBit for pointing this out