Pwn2Own Day 1: Hackers Earn $280k For Hacking Chrome, Flash, Safari (securityweek.com)

← Back to Stories (view on slashdot.org)

Pwn2Own Day 1: Hackers Earn $280k For Hacking Chrome, Flash, Safari (securityweek.com)

Posted by timothy on Thursday March 17, 2016 @01:25AM from the an-honest-living dept.

wiredmikey writes: Pwn2Own 2016 contestants hacked Apple's Safari Web Browser, Adobe Flash Player and Google Chrome, and earned more than $280,000 on the first day of the competition taking place this week alongside the CanSecWest conference in Vancouver, Canada. This is the first edition of Pwn2Own where contestants have been invited to escape a VMware virtual machine for a bonus of $75,000, though there has not been a successful exploit yet in this class by any contestant this week. It remains to be seen if contestants manage to surpass last year's total payout, when white hat hackers earned $552,000 at Pwn2Own.

25 of 39 comments (clear)

Min score:

Reason:

Sort:

They're all guilty by Anonymous Coward · 2016-03-17 01:33 · Score: 1

They're hackers.
1. Re:They're all guilty by invictusvoyd · 2016-03-17 01:43 · Score: 2
  
  They are crackers to be precise.
2. Re:They're all guilty by Lumpy · 2016-03-17 01:46 · Score: 2
  
  No,
  not all of them are white. Dont assume race man!
  
  --
  Do not look at laser with remaining good eye.
3. Re:They're all guilty by Austerity+Empowers · 2016-03-17 01:55 · Score: 2
  
  #saltinelivesmatter
VM escapes by swb · 2016-03-17 01:39 · Score: 2

I keep waiting for someone to find a vulnerability in VMware that lets a VM keep running without appearing in inventory. Bonus points if it can vMotion itself and have access to the management side to manipulate networks.
1. Re:VM escapes by NatasRevol · 2016-03-17 01:44 · Score: 1
  
  It's not a vulnerability, but you can hide it completely from displayed inventory (vCenter) by taking away access from vpxuser. Or from root on a standalone ESXi instance.
  
  --
  There are two types of people in the world: Those who crave closure
2. Re:VM escapes by castionsosa · 2016-03-17 02:03 · Score: 1
  
  I can see a VM playing games with hitting the vCPU hard so DRS rules kick off and bounce the VM around to different physical ESXi boxes, and then using timing techniques, check to see which ESXi box it is sitting on, in order to move to a particular node in a vSphere cluster.
  If a VM can get access to the management interface [1], that would be a game over. From there, it would be a matter of brute forcing users (although 6.0 will lock the account for 120 seconds after ten bad guesses) to get access to critical stuff.
  [1]: Other than being explicitly configured to have access, via SR-IOV or a vSwitch.
3. Re:VM escapes by castionsosa · 2016-03-17 02:48 · Score: 1
  
  Two different points. If one has a clue, it isn't hard to ensure that a VM doesn't have access to the management network. However, if there is a weakness in the hypervisor, a rogue/compromised VM getting access to that isn't a good thing.
  However, being able to use DRS so a VM physically runs on a box (perhaps to use a hardware security hole with the physical CPU like RAM row hammering) is one attack vector that can come into play. It is relatively minor, but it is present.
4. Re:VM escapes by Bert64 · 2016-03-17 04:29 · Score: 1
  
  If you can cause the account to be locked for 2 minutes by making 10 attempts, then you could rapidly make intentionally bogus login attempts and render all accounts inaccessible, which would be somewhat painful to fix.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Wrong subsequent links by kav2k · 2016-03-17 01:46 · Score: 4, Informative

All three links lead to the same article, which seems to be a copy&paste oversight.
I believe the second link was meant to be http://www.securityweek.com/ha... and the third http://www.securityweek.com/re...
1. Re:Wrong subsequent links by AmiMoJo · 2016-03-17 02:15 · Score: 1
  
  I seem to recall this year Firefox is not being included in the competition, because it's too easy. Can someone confirm?
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
2. Re:Wrong subsequent links by Khyber · 2016-03-17 03:09 · Score: 1
  
  Too easy. In fact, just getting my game running under Firefox exposed at least half a dozen vulnerabilities in the way they handle WebGL and Canvas2D.
  Chrome isn't MUCH better, but at least it can handle WebGL failures gracefully.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
3. Re:Wrong subsequent links by RebelWebmaster · 2016-03-17 03:56 · Score: 1
  
  Hopefully you filed bugs for the issues you encountered? https://bugzilla.mozilla.org/e...
4. Re:Wrong subsequent links by thegarbz · 2016-03-17 04:30 · Score: 1
  
  I hope he didn't. The only response you'll get is WebGL removed from Firefox because it's "what users wanted".
5. Re:Wrong subsequent links by Khyber · 2016-03-18 16:30 · Score: 1
  
  As if Mozilla even truly has the resources to fix half of the shit they're tossing into their browser in the name of 'competing and being cutting-edge.'
  Bitch too much about it, they'd remove it entirely.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Pwn2Own is too narrow in the scope by sinij · 2016-03-17 01:52 · Score: 1

Pwn2Own is too narrow in the scope. Discovering and disclosing vulnerabilities in browsers is certainly a useful public service, but this isn't anywhere near the most harmful. Where are attacks against web servers, databases, cryptographic protocols, SCADA and so on?
1. Re:Pwn2Own is too narrow in the scope by Khyber · 2016-03-17 03:10 · Score: 1
  
  The browser is one of the most common vectors to compromise a system. Why would you NOT attack it when it's proven to be horrendously weak?
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
2. Re:Pwn2Own is too narrow in the scope by Bert64 · 2016-03-17 04:33 · Score: 3, Insightful
  
  Because browsers have a very large, very public attack surface and come from the desktop mentality where security wasn't even considered until recently...
  Databases etc *should* have limited exposure to untrusted networks, and thus less attack surface - you typically interact with a frontend application rather than directly with the database for instance.
  Webservers are obviously inherently public, but security on web servers has been a serious concern for a long time plus the typical web server is far less complex than a browser. Most web based vulnerabilities these days exist in individual applications rather than the web server software itself.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Flash? by Drathos · 2016-03-17 01:59 · Score: 5, Funny

I hope the prize for hacking Flash was like 5 bucks..
Talk about low hanging fruit...

--
End of line..
1. Re:Flash? by Anonymous Coward · 2016-03-17 07:17 · Score: 1
  
  I'm still in shock that they accepted Flash exploits this year, but not Firefox ones. That's like being upset about the Titanic when there are aliens hovering over every major landmark with their death-canons trained on them.
How exciting! by MachineShedFred · 2016-03-17 02:09 · Score: 1

Since when is cracking Flash considered to be some feat of hacking genius? I'd be more interested if someone could make Flash secure without disabling and deleting it completely.

--
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
1. Re: How exciting! by Khyber · 2016-03-17 03:11 · Score: 1
  
  Edge attacks itself. Try to get my game running on it, it horks and dies.
  Can't hack something that's dead on arrival.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
2. Re: How exciting! by Gadget_Guy · 2016-03-17 03:58 · Score: 2
  
  That's because no one uses it. Notice something about the targets? They all have enormous install bases.
  Sigh. This is one of the excuses that people make when their preferred browser gets hacked first (especially if a Microsoft one wasn't hacked). The order in which targets and teams are scheduled by random draws.
  The targets today included Adobe Flash on Microsoft Edge. That attack failed. Tomorrow, two other teams are scheduled to take on MS Edge, so may be they will have more success.
Re:Very happy... by castionsosa · 2016-03-17 02:42 · Score: 4, Informative

Virtualization is one of the biggest defensive tools we have against compromise. From being able to roll back or discard/spin up a VM if it is compromised to popping snapshots of disk and memory and scanning those for running malware, or just to keep bad stuff from trying to flash firmware to a real device like a bare metal hard disk, virtualization is a must.
My concern is that it isn't just the ESXi hypervisor that keeps the bad guys out. There are four main hypervisors out there that need to be looked at: ESXi, Hyper-V, Linux KVM, and Xen, with Xen giving way to KVM. There are also containers like LXC and Docker that are important as well. I can see KVM being more of an issue over time as OpenStack goes from "cool toy" to production quality.
The good thing is that hypervisors in general have a limited attack surface, run relatively few applications, and tend to have a better focus on security than general operating systems.
Re: Very happy... by WarJolt · 2016-03-17 19:54 · Score: 1

The most likely exploit on a Hypervisor is with a Paravirtualized driver.
I used to crash VirtualBox trying to run an opengl on a Ubuntu guest. If I recall correctly it was crashing because VB didn't support some shared Opengl context thing. If it's running with graphics it shouldn't take long to exploit.