3:55 AM
scozor
Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference, beginning in 2007.Contestants are challenged to exploit widely used softwareand mobile devices with previously unknown vulnerabilities.
Winners of the contest receive the device that they exploited, a cash prize, and a "Masters" jacket celebrating the year of their win. The name "Pwn2Own" is derived from the fact that contestants must "pwn" or hack the device in order to "own" or win it. The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.
Pwn2Own 2015: Day One results
The contest began hard and fast with Team509 and KeenTeam exploiting Adobe Flash. The team of Zeguang Zhao (Team509), Peter, Jihui Lu, and wushi (KeenTeam) used a heap overflow remote code execution vulnerability in Flash, then leveraged a local privilege escalation in the Windows kernel through TrueType fonts, bypassing all defensive measures. They were awarded $60,000 USD for the Flash bug and a bonus of $25,000 for the SYSTEM escalation.
Nicolas Joly followed with his own exploit of Flash. He used a use-after-free (UAF) remote code execution vulnerability and sandbox escape directory traversal vulnerability in the Flash broker. He was awarded $30,000 for his efforts. While an excellent bug, the payout ended up lower due to the random drawing – only the first successful entrant in each category is awarded the full payout.
Nicolas continued his exploitation domination by taking down Adobe Reader through a stack buffer overflow – once for an info leak and again for remote code execution. He then leveraged an integer overflow to exploit the broker, netting him a cool $60,000 USD. For the day, that brings his total payout to $90,000 USD. Not bad for writing the final part of the exploit chain on the flight to the conference (according to him).
From there, Peter, Jihui Lu, Wen Xu, wushi (KeenTeam), and Jun Mao (Tencent PCMgr) continued rollin’ in the heap by taking down Adobe Reader with an integer overflow and achieved pool corruption through a different TTF bug. This got them SYSTEM access and a total of $55,000 USD - $30,000 for the Reader bug and another $25,000 bonus for the SYSTEM escalation. Their one-day total stands at a nifty $130,000.
Mariusz Mlynski stepped up to Mozilla Firefox and knocked it out of the park through a cross-origin vulnerability followed by privilege escalation within the browser – all within .542 seconds. This allowed him to execute a logical flaw to escalate to SYSTEM in Windows and take home $30,000 USD for the Firefox bug and an additional $25,000 bonus for the privilege escalation.
Wrapping up day one, a new entrant this year, 360Vulcan Team was able to exploit 64-bit Microsoft Internet Explorer 11 with an uninitialized memory vulnerability netting them medium-integrity code execution and $32,500 USD.
That’s quite a first day for all involved. It’s hard to “calc.exe” all the winnings (sorry, pwner pun), but after Day One, the affected product vulnerability count stands at:
3 bugs in Adobe Reader
3 bugs in Adobe Flash
3 bugs in the Windows operating system
2 bugs in Internet Explorer 11
2 bugs in Mozilla Firefox
$317,500 USD bounty paid out to researchers
ilxu1a started off Day Two by taking down Mozilla Firefox with an out-of-bounds read/write vulnerability leading to medium-integrity code execution. It happened so quickly that those of us who blinked missed it — although in our defense, it was sub-second execution. He reports he found the bug through static analysis, which is truly impressive. ilxu1a received $15,000 USD for the bug.
For the first of his three targets, JungHoon Lee (lokihardt) took out 64-bit Internet Explorer 11 with a time-of-check to time-of-use (TOCTOU) vulnerability allowing for read/write privileges. He evaded all the defensive mechanisms by using a sandbox escape through privileged JavaScript injection, all of which resulted in medium-integrity code execution. This got his day started out right with a payout of $65,000 USD.
Next, JungHoon Lee (lokihardt) demonstrated an exploit that affects both the stable and beta versions of Google Chrome. He leveraged a buffer overflow race condition in Chrome, then used an info leak and race condition in two Windows kernel drivers to get SYSTEM access. With all of this, lokihardt managed to get the single biggest payout of the competition, not to mention the single biggest payout in Pwn2Own history: $75,000 USD for the Chrome bug, an extra $25,000 for the privilege escalation to SYSTEM, and another $10,000 from Google for hitting the beta version for a grand total of $110,000. To put it another way, lokihardt earned roughly $916 a second for his two-minute demonstration. There are times when “Wow” just isn’t enough.
For his final act of the competition, JungHoon Lee (lokihardt) took out Apple Safari using a use-after-free (UAF) vulnerability in an uninitialized stack pointer in the browser and bypassed the sandbox for code execution. That netted him another $50,000 USD and brought his daily total to $225,000. This is an amazing accomplishment for anyone, but it’s especially impressive considering he is an individual competitor rather than a team. Well done.
The final entrant in Pwn2Own 2015, ilxu1a, attempted to exploit Google Chrome, but ran out of time before he could get his code working. He told us he was having issues with his info leak. While not a winner on this round, he has won twice before and showed some lovely research on the topic. I’m sure we’ll see him again.
As with every Pwn2Own, all vulnerabilities were disclosed to their respective vendors in our “Chamber of Disclosures,” and each vendor is working to fix these bugs through their own processes.
The final numbers for Pwn2Own 2015 are quite impressive:
5 bugs in the Windows operating system
4 bugs in Internet Explorer 11
3 bugs in Mozilla Firefox
3 bugs in Adobe Reader
3 bugs in Adobe Flash
2 bugs in Apple Safari
1 bug in Google Chrome
$557,500 USD bounty paid out to researchers
Pwn2Own 2015: Day One results
The contest began hard and fast with Team509 and KeenTeam exploiting Adobe Flash. The team of Zeguang Zhao (Team509), Peter, Jihui Lu, and wushi (KeenTeam) used a heap overflow remote code execution vulnerability in Flash, then leveraged a local privilege escalation in the Windows kernel through TrueType fonts, bypassing all defensive measures. They were awarded $60,000 USD for the Flash bug and a bonus of $25,000 for the SYSTEM escalation.
Nicolas Joly followed with his own exploit of Flash. He used a use-after-free (UAF) remote code execution vulnerability and sandbox escape directory traversal vulnerability in the Flash broker. He was awarded $30,000 for his efforts. While an excellent bug, the payout ended up lower due to the random drawing – only the first successful entrant in each category is awarded the full payout.
Nicolas continued his exploitation domination by taking down Adobe Reader through a stack buffer overflow – once for an info leak and again for remote code execution. He then leveraged an integer overflow to exploit the broker, netting him a cool $60,000 USD. For the day, that brings his total payout to $90,000 USD. Not bad for writing the final part of the exploit chain on the flight to the conference (according to him).
From there, Peter, Jihui Lu, Wen Xu, wushi (KeenTeam), and Jun Mao (Tencent PCMgr) continued rollin’ in the heap by taking down Adobe Reader with an integer overflow and achieved pool corruption through a different TTF bug. This got them SYSTEM access and a total of $55,000 USD - $30,000 for the Reader bug and another $25,000 bonus for the SYSTEM escalation. Their one-day total stands at a nifty $130,000.
Mariusz Mlynski stepped up to Mozilla Firefox and knocked it out of the park through a cross-origin vulnerability followed by privilege escalation within the browser – all within .542 seconds. This allowed him to execute a logical flaw to escalate to SYSTEM in Windows and take home $30,000 USD for the Firefox bug and an additional $25,000 bonus for the privilege escalation.
Wrapping up day one, a new entrant this year, 360Vulcan Team was able to exploit 64-bit Microsoft Internet Explorer 11 with an uninitialized memory vulnerability netting them medium-integrity code execution and $32,500 USD.
That’s quite a first day for all involved. It’s hard to “calc.exe” all the winnings (sorry, pwner pun), but after Day One, the affected product vulnerability count stands at:
3 bugs in Adobe Reader
3 bugs in Adobe Flash
3 bugs in the Windows operating system
2 bugs in Internet Explorer 11
2 bugs in Mozilla Firefox
$317,500 USD bounty paid out to researchers
Pwn2Own 2015: Day Two results
ilxu1a started off Day Two by taking down Mozilla Firefox with an out-of-bounds read/write vulnerability leading to medium-integrity code execution. It happened so quickly that those of us who blinked missed it — although in our defense, it was sub-second execution. He reports he found the bug through static analysis, which is truly impressive. ilxu1a received $15,000 USD for the bug.
For the first of his three targets, JungHoon Lee (lokihardt) took out 64-bit Internet Explorer 11 with a time-of-check to time-of-use (TOCTOU) vulnerability allowing for read/write privileges. He evaded all the defensive mechanisms by using a sandbox escape through privileged JavaScript injection, all of which resulted in medium-integrity code execution. This got his day started out right with a payout of $65,000 USD.
Next, JungHoon Lee (lokihardt) demonstrated an exploit that affects both the stable and beta versions of Google Chrome. He leveraged a buffer overflow race condition in Chrome, then used an info leak and race condition in two Windows kernel drivers to get SYSTEM access. With all of this, lokihardt managed to get the single biggest payout of the competition, not to mention the single biggest payout in Pwn2Own history: $75,000 USD for the Chrome bug, an extra $25,000 for the privilege escalation to SYSTEM, and another $10,000 from Google for hitting the beta version for a grand total of $110,000. To put it another way, lokihardt earned roughly $916 a second for his two-minute demonstration. There are times when “Wow” just isn’t enough.
For his final act of the competition, JungHoon Lee (lokihardt) took out Apple Safari using a use-after-free (UAF) vulnerability in an uninitialized stack pointer in the browser and bypassed the sandbox for code execution. That netted him another $50,000 USD and brought his daily total to $225,000. This is an amazing accomplishment for anyone, but it’s especially impressive considering he is an individual competitor rather than a team. Well done.
The final entrant in Pwn2Own 2015, ilxu1a, attempted to exploit Google Chrome, but ran out of time before he could get his code working. He told us he was having issues with his info leak. While not a winner on this round, he has won twice before and showed some lovely research on the topic. I’m sure we’ll see him again.
As with every Pwn2Own, all vulnerabilities were disclosed to their respective vendors in our “Chamber of Disclosures,” and each vendor is working to fix these bugs through their own processes.
The final numbers for Pwn2Own 2015 are quite impressive:
5 bugs in the Windows operating system
4 bugs in Internet Explorer 11
3 bugs in Mozilla Firefox
3 bugs in Adobe Reader
3 bugs in Adobe Flash
2 bugs in Apple Safari
1 bug in Google Chrome
$557,500 USD bounty paid out to researchers
0 comments:
Post a Comment