Pwn2Own Day 1: Hackers Earn $280k For Hacking Chrome, Flash, Safari

wiredmikey writes: Pwn2Own 2016 contestants hacked Apple's Safari Web Browser, Adobe Flash Player and Google Chrome, and earned more than $280,000 on the first day of the competition taking place this week alongside the CanSecWest conference in Vancouver, Canada. This is the first edition of Pwn2Own where contestants have been invited to escape a VMware virtual machine for a bonus of $75,000, though there has not been a successful exploit yet in this class by any contestant this week. It remains to be seen if contestants manage to surpass last year's total payout, when white hat hackers earned $552,000 at Pwn2Own.

They're all guilty

They're hackers.

Re:They're all guilty

[invictusvoyd]

They are crackers to be precise.

Re:They're all guilty

[Lumpy]

No,

not all of them are white. Dont assume race man!

Re:They're all guilty

They are crackers to be precise.

I don't think they own any slaves.

Re:They're all guilty

[Austerity+Empowers]

#saltinelivesmatter

Re:They're all guilty

Horribly unclever.

VM escapes

[swb]

I keep waiting for someone to find a vulnerability in VMware that lets a VM keep running without appearing in inventory. Bonus points if it can vMotion itself and have access to the management side to manipulate networks.

Re:VM escapes

[NatasRevol]

It's not a vulnerability, but you can hide it completely from displayed inventory (vCenter) by taking away access from vpxuser. Or from root on a standalone ESXi instance.

Re:VM escapes

[castionsosa]

I can see a VM playing games with hitting the vCPU hard so DRS rules kick off and bounce the VM around to different physical ESXi boxes, and then using timing techniques, check to see which ESXi box it is sitting on, in order to move to a particular node in a vSphere cluster.

If a VM can get access to the management interface [1], that would be a game over. From there, it would be a matter of brute forcing users (although 6.0 will lock the account for 120 seconds after ten bad guesses) to get access to critical stuff.

[1]: Other than being explicitly configured to have access, via SR-IOV or a vSwitch.

Re:VM escapes

What benefits would there be to an attack of relocating a VM to a specific host or is it only useful as part of another attack? If your vSwitches are configured properly, surely it shouldn't be possible for it to get onto a network segment with a management interface? Are those two different points or one?

Re:VM escapes

[castionsosa]

Two different points. If one has a clue, it isn't hard to ensure that a VM doesn't have access to the management network. However, if there is a weakness in the hypervisor, a rogue/compromised VM getting access to that isn't a good thing.

However, being able to use DRS so a VM physically runs on a box (perhaps to use a hardware security hole with the physical CPU like RAM row hammering) is one attack vector that can come into play. It is relatively minor, but it is present.

Re:VM escapes

[Bert64]

If you can cause the account to be locked for 2 minutes by making 10 attempts, then you could rapidly make intentionally bogus login attempts and render all accounts inaccessible, which would be somewhat painful to fix.

Re:VM escapes

Can't log in to stop it? That would really suck.

Wrong subsequent links

[kav2k]

All three links lead to the same article, which seems to be a copy&paste oversight.

I believe the second link was meant to be http://www.securityweek.com/ha... and the third http://www.securityweek.com/re...

Re:Wrong subsequent links

[AmiMoJo]

I seem to recall this year Firefox is not being included in the competition, because it's too easy. Can someone confirm?

Re:Wrong subsequent links

[Khyber]

Too easy. In fact, just getting my game running under Firefox exposed at least half a dozen vulnerabilities in the way they handle WebGL and Canvas2D.

Chrome isn't MUCH better, but at least it can handle WebGL failures gracefully.

Re:Wrong subsequent links

[RebelWebmaster]

Hopefully you filed bugs for the issues you encountered? https://bugzilla.mozilla.org/e...

Re: Wrong subsequent links

No, it was because there where no new security features in Firefox.

Re:Wrong subsequent links

[thegarbz]

I hope he didn't. The only response you'll get is WebGL removed from Firefox because it's "what users wanted".

Re:Wrong subsequent links

Uh, what are you talking about? Is this one of those weird "someone's patch was rejected so it's pointless to contribute to Mozilla any more" arguments?

Re:Wrong subsequent links

[Khyber]

As if Mozilla even truly has the resources to fix half of the shit they're tossing into their browser in the name of 'competing and being cutting-edge.'

Bitch too much about it, they'd remove it entirely.

Pwn2Own is too narrow in the scope

[sinij]

Pwn2Own is too narrow in the scope. Discovering and disclosing vulnerabilities in browsers is certainly a useful public service, but this isn't anywhere near the most harmful. Where are attacks against web servers, databases, cryptographic protocols, SCADA and so on?

Re:Pwn2Own is too narrow in the scope

[Khyber]

The browser is one of the most common vectors to compromise a system. Why would you NOT attack it when it's proven to be horrendously weak?

Re:Pwn2Own is too narrow in the scope

Weak AND ubiquitous.

Re:Pwn2Own is too narrow in the scope

[Bert64]

Because browsers have a very large, very public attack surface and come from the desktop mentality where security wasn't even considered until recently...

Databases etc *should* have limited exposure to untrusted networks, and thus less attack surface - you typically interact with a frontend application rather than directly with the database for instance.

Webservers are obviously inherently public, but security on web servers has been a serious concern for a long time plus the typical web server is far less complex than a browser. Most web based vulnerabilities these days exist in individual applications rather than the web server software itself.

Very happy...

I'm very happy to hear that VMware is still a very strong and secure sandbox...

CAP === 'transit'

Re:Very happy...

[castionsosa]

Virtualization is one of the biggest defensive tools we have against compromise. From being able to roll back or discard/spin up a VM if it is compromised to popping snapshots of disk and memory and scanning those for running malware, or just to keep bad stuff from trying to flash firmware to a real device like a bare metal hard disk, virtualization is a must.

My concern is that it isn't just the ESXi hypervisor that keeps the bad guys out. There are four main hypervisors out there that need to be looked at: ESXi, Hyper-V, Linux KVM, and Xen, with Xen giving way to KVM. There are also containers like LXC and Docker that are important as well. I can see KVM being more of an issue over time as OpenStack goes from "cool toy" to production quality.

The good thing is that hypervisors in general have a limited attack surface, run relatively few applications, and tend to have a better focus on security than general operating systems.

Re: Very happy...

[WarJolt]

The most likely exploit on a Hypervisor is with a Paravirtualized driver.

  I used to crash VirtualBox trying to run an opengl on a Ubuntu guest. If I recall correctly it was crashing because VB didn't support some shared Opengl context thing. If it's running with graphics it shouldn't take long to exploit.

Flash?

[Drathos]

I hope the prize for hacking Flash was like 5 bucks..

Talk about low hanging fruit...

Re:Flash?

Talk about low hanging fruit...

My balls...

Re:Flash?

I'm still in shock that they accepted Flash exploits this year, but not Firefox ones. That's like being upset about the Titanic when there are aliens hovering over every major landmark with their death-canons trained on them.

How exciting!

[MachineShedFred]

Since when is cracking Flash considered to be some feat of hacking genius? I'd be more interested if someone could make Flash secure without disabling and deleting it completely.

Re: How exciting!

The interesting part is that no one has cracked Microsoft Edge yet.

-imprezza86

Re: How exciting!

That's because no one uses it. Notice something about the targets? They all have enormous install bases.

Re: How exciting!

[Khyber]

Edge attacks itself. Try to get my game running on it, it horks and dies.

Can't hack something that's dead on arrival.

Re: How exciting!

[Gadget_Guy]

That's because no one uses it. Notice something about the targets? They all have enormous install bases.

Sigh. This is one of the excuses that people make when their preferred browser gets hacked first (especially if a Microsoft one wasn't hacked). The order in which targets and teams are scheduled by random draws.

The targets today included Adobe Flash on Microsoft Edge. That attack failed. Tomorrow, two other teams are scheduled to take on MS Edge, so may be they will have more success.

Re:How exciting!

If I had to guess, it is because of recent changes to flash making it (bite my tongue) a bit more secure. For example, using isolated heaps for (more) dangerous data constructs. Even Zerodiom has increased its payouts for flash exploits recently.

Mozilla expelled for making them look bad

Now we know why Firefox wasn't allowed to compete. It would have made them looked bad.