Digging for IE11 Sandbox Escapes Part 2

Explore advanced techniques for discovering and exploiting Internet Explorer 11 sandbox escapes in this 40-minute Black Hat conference talk. Delve into the methodology used to uncover four sandbox vulnerabilities during Microsoft's bug bounty program for IE11 on Windows 8.1. Learn how to investigate the IE11 sandbox, execute custom code, and analyze potential attack surfaces. Gain insights into the Enhanced Protected Mode (EPM) sandbox and its implementation of Windows 8's App Container mechanism. Examine security flaws present since Vista and IE7, and receive sample source code to test these issues firsthand. Understand the intricacies of elevation policies, COM interfaces, NET Deployment Services, and various broker mechanisms within the IE11 ecosystem. Discover techniques for bypassing prompts, executing arbitrary code, and exploiting out-of-process storage vulnerabilities. Requires Windows 8.1 RTM, Visual Studio 2013, and IDA Pro for hands-on participation.

Intro
Security in Elevation Policy
Default Applications
COM Elevation Policy
NET Deployment Service (DFSVC)
MSCORLIB Type Library
Exploiting The Vulnerability
IEUserBroker Interface
Shell Document View Broker
IE Recovery Store
Built-in Implementations
Attacking Out Of Process Storage
Supported Interfaces
Complex Interface
Installing an ActiveX Control
Prompt Bypass
Calling Sequence
Executing Our Own Code