This paper provides an in-depth analysis of a vulnerability in the “Ancillary Function Driver”, AFD.sys, as well as a detailed description of the exploitation process.
AFD.sys is responsible for handling Winsock network communication and is included in every default installation of Microsoft Windows from XP to 8.1, including Windows Server systems.
The vulnerable code can be triggered from userland without any restriction towards the integrity level (“IL”) of the calling process and thus can be abused to break out of restricted application sandboxes. This vulnerability has been used during Pwn2Own 2014 to win the Internet Explorer 11 competition. It was possible to break out of Internet Explorer’s sandbox running under “AppContainer” IL and to execute arbitrary code with kernel privileges on a fully-patched Windows 8.1 (x64) system.
AFD.sys is responsible for handling Winsock network communication and is included in every default installation of Microsoft Windows from XP to 8.1, including Windows Server systems.
The vulnerable code can be triggered from userland without any restriction towards the integrity level (“IL”) of the calling process and thus can be abused to break out of restricted application sandboxes. This vulnerability has been used during Pwn2Own 2014 to win the Internet Explorer 11 competition. It was possible to break out of Internet Explorer’s sandbox running under “AppContainer” IL and to execute arbitrary code with kernel privileges on a fully-patched Windows 8.1 (x64) system.
more here.........http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf