Pwn2Own 2014 - Escaping the sandbox through AFD.sys

This year Andy and I were finally able to take part in the Pwn2Own contest during the CanSecWest conference in Vancouver. We won the Internet Explorer 11 competition by compromising a fully-patched Windows 8.1 (x64) system.
For successful exploitation we abused three distinct vulnerabilities:

• Two Internet Explorer 11 Use-After-Frees which evaded ASLR/DEP and gave us userland code execution
• One Windows Kernel vulnerability to escape the Internet Explorer sandbox and execute code with SYSTEM privileges.

(In fact, we needed three Internet Explorer vulnerabilities, since the second vulnerability in our exploit chain had been patched the day before the contest - yes, it was a rather sleepless night.)

The vulnerabilities have been patched in the Microsoft Security Bulletins MS14-035, MS14-037 and MS14-040.

The vulnerability analysis, a detailed description of the exploitation process and the patch analysis can be downloaded HERE.

Hopefully see you at next year's Pwn2Own! :)
Sebastian