With security as one of its design fundamentals, Microsoft Edge browser is one of the most secure browsers around. How difficult is it to find remote code execution exploits in the Edge browser?
To answer this question we spent time researching various attack surfaces in the Edge browser and came away with an answer – go in through the ChakraCore engine.
ChakraCore is the core of Microsoft’s next generation Javascript Engine that powers Microsoft Edge. Since it is open sourced, we can manually audit the code. Our code auditing resulted in 20+ exploitable vulnerabilities and 10+ working exploits on Windows 10 and the 64-bit Edge browser.
In this presentation, we will first introduce some special characteristics (mostly new characteristics compared to the old Internet Explorer JavaScript engine) of the ChakraCore engine where we can find exploitable vulnerabilities. With these exploitable vulnerabilities in hand, the next thing to do it to turn them into working exploits.
We will introduce some new exploit techniques based on the features of ChakraCore itself and show how to pull off reliable heap-fengshui in the Chakra engine. We will also introduce our unpublished CFG (control flow guard) bypass methods which won Microsoft’s mitigation bypass bounty reward and demonstrate how to bypass the newly added RFG (return flow guard) mitigation introduced in windows RS2 preview.
As a bonus, we will disclose the details of several real 64-bit edge exploits, including the one we used to win PwnFest 2016 (http://pwnfest.org/).