Edge, VMWare, Safari, And Ubuntu Linux Hacked at Pwn2Own 2017

The 10th annual Pwn2Own hacking competition ended Friday in Vancouver. Some of the highlights:

• Ars Technica reports one team "compromised Microsoft's heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in... by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware."
• Digital Trends reports "Samuel Grob and Niklas Baumstark used a number of logic bugs to exploit the Safari browser and eventually take root control of the MacOS on a MacBook Pro, [and] impressed onlookers even more by adding a custom message to the Touch Bar which read: "pwned by niklasb and saelo."
• Ubuntu 16.10 Linux was also successfully attacked by exploiting a flaw in the Linux 4.8 kernel, "triggered by a researcher who only had basic user access but was able to elevate privileges with the vulnerability to become the root administrative account user..." reports eWeek. "Chaitin Security Research Lab didn't stop after successfully exploiting Ubuntu. It was also able to successfully demonstrate a chain of six bugs in Apple Safari, gaining root access on macOS."
• Another attacker "leveraged two separate use-after-free bugs in Microsoft Edge and then escalated to SYSTEM using a buffer overflow in the Windows kernel."

None of the attendees registered to attempt an attack on the Apache Web Server on Ubuntu 16.10 Linux, according to eWeek, but the contest's blog reports that "We saw a record 51 bugs come through the program. We paid contestants $833,000 USD in addition to the dozen laptops we handed out to winners. And, we awarded a total of 196 Master of Pwn points."

Have fun with those Pwn points!

Why not display the hacks to the world (without how you did them) and let the open economy bid on the solution? Gotta be worth more than these dumb prizes.

Re:Have fun with those Pwn points!

[ColaMan]

That's the whole point of the competition.

The cash prize + internet fame is designed to be enough of an incentive for you to give out the details instead of selling it on the black market.

Re:Have fun with those Pwn points!

[tgv]

Not everybody is a greedy bastard.

Re:Have fun with those Pwn points!

[rtb61]

Nope, just all the arseholes at the top, ohh yeah. The richer you are the greedier you are and that's a fact.

Re:Have fun with those Pwn points!

Why does it have to be the black market?

Shit if somebody finds a zero day, is no one willing to pay him to reveal it? It's better for everyone.

Re: Have fun with those Pwn points!

It's not fact. Unless you have studied, psychologically profiled; including various other tests, every single person that kept getting richer and richer, to see if they became more greedy, then, it's not fact.

I bet you're just greedily thinking about yourself. Your jealousy towards those who are capable and at that hackathon, earning with their skill, has turned you Trol...l

Re:Have fun with those Pwn points!

[Gavagai80]

Being rich doesn't make anyone greedy. Being greedy makes them rich.

Re:Have fun with those Pwn points!

[lucm]

Being greedy makes them rich.

You clearly never met my mother-in-law.

Re: Have fun with those Pwn points!

[drinkypoo]

It's not fact. Unless you have studied, psychologically profiled; including various other tests, every single person that kept getting richer and richer, to see if they became more greedy, then, it's not fact.

If you're rich and getting richer while others are poor and keep getting poorer then you're greedy, and that's a fact, jack. Because all you have to do to not be greedy is share, and if you do that, you'll stop getting richer.

Greed is clearly a powerful motivator, but it can equally clearly be taken too far.

Re: Have fun with those Pwn points!

[valdezjuan]

That's not 100% true. Look at Gates and Buffet, they are getting richer but they are donating billions to charities and research, they are also not alone in doing that.

Re:Have fun with those Pwn points!

[mysidia]

instead of selling it on the black market.

Assuming that if you come up with this exploit the CIA won't be knocking on your door with a better offer to tell them instead, and to keep it secret forever.

Re: Have fun with those Pwn points!

[mysidia]

If you're rich and getting richer while others are poor and keep getting poorer then you're greedy, and that's a fact

NOPE. That's an opinion or unproven theory. You can also share without failing to continue getting richer, by making sure you continue to gain more than amount of what you share plus your regular expenses. What do you define greed as, And is it your opinion that greed is not a good thing ?

Re:Have fun with those Pwn points!

[mysidia]

Being rich doesn't make anyone greedy. Being greedy makes them rich.

If greed makes people rich, then how can you explain why there are not many more rich people?

I see people visiting casinos all the time, or buying a handful of Powerball tickets, talking about how they want to have $1 Million or $1 Billion, Or they think somebody else should pay for everything they want out of life.

Re: Have fun with those Pwn points!

[James_Duncan8181]

They aren't getting richer, they have committed most of their assets to ongoing projects. As such, they have become poorer in the purely personal sense.

Re:Have fun with those Pwn points!

Hacker hackers, .001%!!!!!!
Jeez, whine much?

Re: Have fun with those Pwn points!

This is the most ill conceived post that I have ever read from you.

By your logic, I should not start a business, employ dozens, then hundreds, then thousands of people because, gasp, I might become wealthy, then wealthier. The people that work for me might also become wealthier, oh my god, what have I done!

It's not a zero sum game.

Re: Have fun with those Pwn points!

If you're rich and getting richer while others are poor and keep getting poorer then you're greedy, and that's a fact, jack. Because all you have to do to not be greedy is share, and if you do that, you'll stop getting richer.

Firstly what do you define "rich" as being? At what point (specifically) am I not allowed to make any more money and have to instead give it away to not be classified as "greedy". Also perhaps you need to explain your definition of "greedy". In my case the more money I have made the more I have donated to charities because I have had more money to donate.

Also are you just talking about money or does this apply equally to things like knowledge?

Re:Have fun with those Pwn points!

[ColaMan]

Well, it's a case of:

- Do this in public, and you have to disclose your exploit to get the cash

- Demonstrate in private, somehow, get in touch with some secretive agency somehow, hope that they don't already have this exploit, hope that they simply won't steal your exploit, hope that they won't jail you for something along the lines of "attempted hacking", hope that someone else doesn't release exploit while you're doing this, eventually get cash.

- Demonstrate in private, somehow, sell in black market and hope that highest bidder isn't some secretive agency who probably has enough resources to track you down and jail you for something along the lines of "enabling hacking", and get their money back to boot.

Re:Have fun with those Pwn points!

[mysidia]

somehow, get in touch with some secretive agency somehow, hope that they don't already have this exploit, hope that they simply won't steal your exploit, hope that they won't jail you for something along the

No.... The joke was the three-letter agency will be watching you, knowing you're a security researcher, so they already know you developed the exploit; They will be paying you for exclusivity, Also they'll be needing more work out of you to weaponize it, As for the other concerns, It's not illegal to do security research or develop or possess exploit code, YET...

Re:Have fun with those Pwn points!

[syntotic]

You are supposed to sell it in a malware, antivirus, computer health, application and fill people with lots of popups and aggressive advertisement in downloads and fringe sites so people with such problems... (?) Anyway, the real solution is patching or versioning the underlying software and that is something OEM vendors are supposed to do, not just any company.

Do security researchers trust those laptops?

[Foresto]

"...the dozen laptops we handed out to winners."

I wonder whether the security researchers who were given those laptops would ever consider trusting those laptops.

I suppose they would be useful as test hardware regardless.

Re:Do security researchers trust those laptops?

[drinkypoo]

I wonder whether the security researchers who were given those laptops would ever consider trusting those laptops.

If they're not compatible with coreboot, then I would sell it immediately.

Re:Do security researchers trust those laptops?

[drinkypoo]

shut up you fucking troll.

Not that I expect a response, but is this really your only hobby? I mean, take up origami or something. It's cheap.

Re:Do security researchers trust those laptops?

A couple things... this is the first time I've posted this comment. So, it seems that there are others with the same thought.

" is this really your only hobby? I mean, take up origami or something. It's cheap."

You should take your own advice.. every fucking story I ready, there you are with a handful of other kiwifruits that have to post, adding hardly anything to the conversation. Pathetic really.

Re:Do security researchers trust those laptops?

[drinkypoo]

You should take your own advice.. every fucking story I ready, there you are with a handful of other kiwifruits that have to post,

And it makes you angry that people are posting comments to a discussion forum?

Re: Do security researchers trust those laptops?

(Different AC) Original AC probably a) has mental health issues and b) took offense to some previous comment/s of yours, so is probably now stalking you on /.

Re: Do security researchers trust those laptops?

talking to yourself now?

Re: Do security researchers trust those laptops?

[UnknowingFool]

Well no system is perfect and I think you as assuming those systems are never patched ever. From what I know about the contest, the software version is frozen for the contestants so it is not a moving target. In some cases the exploit might already be fixed in the most current version.

Re: Do security researchers trust those laptops?

see (a) above

Re:Do security researchers trust those laptops?

different AC. looks like you have an admirer.

Re:Do security researchers trust those laptops?

[drinkypoo]

different AC. looks like you have an admirer.

Having an opinion leads to being trolled. Having lots of opinions leads to lots of being trolled. I just don't understand the people who think that doing a lot of posting to Slashdot is some kind of hardship. I've been chatting since before I had internet access, on BBSes. In the eighties. Typing is as easy as breathing.

Re:Do security researchers trust those laptops?

[syntotic]

But, new or stolen laptops? It is not the same... I am waiting for policemen to recover the ELEVEN laptops that have been stolen from me in the prime of their system life, (oh, one mummy, one baby and two in their second infancy). I wonder if any of these guys had anything to do with it...? Fluorescence? I do have some trouble from time to time with screen brightness as of lately.

Chain of 6 Exploits

[mentil]

It was also able to successfully demonstrate a chain of six bugs in Apple Safari, gaining root access on macOS.

I have a feeling as security gets more sophisticated, these chains will get longer. Eventually, the chain will get too long for a human cracker to think up themselves, and software will be needed which classifies and chains together vulnerabilities to achieve a desired effect. Then it's a short auto-bug-finder away from allowing a self-sustaining botnet that adapts to security upgrades, and could become permanently out of control if the C&C is taken down/abandoned.

Re:Chain of 6 Exploits

[platinummyr]

What if the automatic bug finder finds a crack in the C&C and compromises it to add it to the bot-net?

Re:Chain of 6 Exploits

What you've described already exists. -PCP

Re:Chain of 6 Exploits

[BeerCat]

it's a short auto-bug-finder away from allowing a self-sustaining botnet that adapts to security upgrades, and could become permanently out of control if the C&C is taken down/abandoned.

I think you've just described a real world version of Skynet

The Terminator: Skynet begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, August 29th. In a panic, they try to pull the plug.
Sarah Connor: Skynet fights back.

Re:Chain of 6 Exploits

[Place+a+name+here]

If someone invents an auto-bug-finder, won't every software company run it on their software before releasing it, knowing that if they don't, the malware creators will?

Re: Chain of 6 Exploits

There's no universal requirement to have a test department for a company, let alone an open source project, so only a subset would be tested in this way. Today bug finding tools exist, and some are even free, but are not used universally.

And then there is legacy code...

Re: Chain of 6 Exploits

[valdezjuan]

People have been claiming this since before I got into the industry. In some far, far distant future when a protocol or OS has been written by aliens or AIs, maybe it will be too complicated but that's a long ways off. Some of these people are getting paid to find these types of issues and others just have the mind set and can think abstractly enough to be able to apply it. The human brain is incredibly good at connecting seemingly random things and then working towards applying them together. Not to mention, these systems/protocols are designed by humans which means they are going to be flawed.

Re:Chain of 6 Exploits

I'm betting that a general purpose automatic bug finder is an NP hard problem, not to mention the difficulty of fully specifying what the program it's testing is supposed to do or not do. There is still much to be gained in improved practices and standards for programming and testing, which is tackling the problem on the human end.

Re:Chain of 6 Exploits

I work as a Ph.D. student at a major university, researching computer security. There is a guy in my lab that is doing exactly this. There is already a fully developed proof of concept, and he is writing the paper as I type this.

Re: Chain of 6 Exploits

[p91paul]

I'd bet more on this problem to be undecidable...However, a program able to find and use more bugs than most humans (weakening the "discover *all* bugs" requirement) might be feasible instead. I believe it's still very far away anyway.

Re:Chain of 6 Exploits

[michael_wojcik]

If someone invents an auto-bug-finder, won't every software company run it on their software before releasing it, knowing that if they don't, the malware creators will?

History suggests not. We have hundreds or thousands of static-analysis and dynamic-analysis tools, ranging from simple linters to hybrid-symbolic-and-instrumented-execution ones. Many are free, and commercial ones typically include convenient UIs, training, and ample support. Yet many companies still release software that doesn't even compile warning-free, much less run analysis tools against their source or binaries.

In fact, there are a number of published tools which do most of the work of chaining vulnerabilities into exploits. Leaks suggest that malware creators, whatever their resources and motivation (i.e. everything from the lone enthusiast to state actors), still do a lot of the work by hand. But I'm sure many of them are playing with automation, if they aren't using it "in production" already.

Indeed, we have excellent evidence of automated "hacking" as far back as 1999, from the experiences of The Internet Auditing Project. See http://www.viacorp.com/auditing.html; if you're impatient, search for "custom built software penetration agent". Now, that was apparently a tool which automated the process of searching for known exploits from a UNIX shell prompt, and not a code-analysis exploit builder, but it shows that, yes, when something can be automated, someone's going to automate it. It's pretty safe to assume that in the 18 years since more than one organization has looked at automatically finding vulnerabilities and assembling them into exploits, particularly since there's research in the area (because, again, if it's there, someone will research it).

Re: Chain of 6 Exploits

[syntotic]

(It is not that they are written by Humans but that we cannot test combinatorial explosions and only hope for some proven bounds to go by; this would be true of automatically written systems also unless you do have the time and not the profit incentive to go through an infinite series of chains...)

Breaking out of VMware

[rene2]

is the most impressive. Heads up for that achievements!

Re:Breaking out of VMware

[swb]

But only workstation.

It'd be impressive if someone could break out of an ESXi hypervisor and then compromise vCenter. Maybe have some kind of command/control daemon on vCenter allowing implanting VMs.

Re:Breaking out of VMware

It was VMWare Workstation though. Last year, VMWare outsourced Workstation development to China, so expect to see many more exploits in the future.

Re: Breaking out of VMware

VMWare is a name that covers a family of products. It's like saying "breaking out of Microsoft" or "exploiting an IBM." The question is which product, and the answer seems to be "VMWare workstation for Windows" which is far less impressive (or important) than if they broke out of an ESXi host.

Re:Breaking out of VMware

[Burz]

Like ESX, Xen is also a bare-metal hypervisor that is very secure (not counting QEMU, which is isolated in secure installations). Qubes OS is a desktop system based on Xen... https://www.qubes-os.org/

Re:Breaking out of VMware

[michael_wojcik]

Xen is "very secure"?

There were 15 Xen security vulnerabilities fixed this month.

Shi et al. just presented a paper on architectural security problems with Xen.

Don't get me wrong - I appreciate the Xen team's efforts at security. And other hypervisors have their own problems (though it's been a while since I've seen a report of a VM escape from PR/SM). And "secure" isn't meaningful as an absolute; it only means something in relation to a threat model. But it's still rather premature to label Xen "very secure" in general, assuming a reasonable threat model.

Re:Breaking out of VMware

[Burz]

Tha's an interesting paper... I'm sure their 'nexen' approach will lead to some good things.

Xen's vuln reporting is an umbrella for the core Xen hypervisor, plus a large codebase including QEMU functionality. Most of what gets reported as Xen vulnerabilities is QEMU or fall under minor or DOS...Some Xen project members realize this creates an inaccurate perception. However, secure Xen configurations do not utilize QEMU without isolating it in a stub domain.

So far, there have been only 3 vulns that could cause a privilege escalation in Qubes OS. And its worth remembering that for years Xen was considered unblemished by serious vulns until ITL (Qubes' "parent" company) reviewed their code. The next major release of Qubes will undertake a shift toward HVMs as the standard domain type, since PVMs are now understood to have uncertainties that may eventually lead to security issues---so, yes, Rutkowska et al are vigilant about Xen's potential weaknesses and do dry to avoid them.

use-after-free bugs in Microsoft Edge

[ilguido]

I thought that C# had automatic memory management.

Re:use-after-free bugs in Microsoft Edge

Microsoft Edge is serious software. You don't seriously believe it is written in C# do you?

Re:use-after-free bugs in Microsoft Edge

[behrooz0az]

In a single AppDomain with one single thread and no lazy references, sure. If you write anything complex it can go straight to hell if you don't know exactly what you're doing.
This includes every little messy detail on the multi-threaded multi-domain marking garbage collector with 3 lists and 5 heaps that traverses stacks of all threads on each collect, type inheritance with type casting direction, native calls with auto marshaling between managed and native types, AppDomains that should read eachothers' memory but not write it, etc.
Source: C# developer since 2k3

Re:use-after-free bugs in Microsoft Edge

2k3 hurts my brain.

Re: use-after-free bugs in Microsoft Edge

But he saved one character so you know he is 1337

Re: use-after-free bugs in Microsoft Edge

Pedar sag

Re:use-after-free bugs in Microsoft Edge

[michael_wojcik]

"Not feasible in practice" is just what people said about stack smashing, until Levy published "Smashing the Stack for Fun and Profit".

"Gee, I think this looks pretty hard, and I've written some code, bro!" is a pretty weak security analysis, and a worse mitigation.

(And, of course, there are a great many C# developers who know very little about how the CLR works, or what goes on in an AppDomain, etc. As a demonstration of authority, "C# developer since 2k3" is pretty weak too.)

Re:use-after-free bugs in Microsoft Edge

[behrooz0az]

My point was, If you're working on something like Edge you should know a lot more than a developer that smashes a couple wizard forms together and some of the Edge guys probably did not, Just listed some of the usual things that go wrong to show how deep you have to think sometimes.
Has nothing to do with me being good or bad or bragging about it. I don't even own a single device with any microsoft products on it, so I don't really care.

Re:use-after-free bugs in Microsoft Edge

[michael_wojcik]

You know, I think I completely misread your previous post. My apologies.

The Edge of Karma

[EditDistance]

Only yesterday, Microsoft was shoving advertisements for Edge in my face and proudly proclaiming it was the most secure browser... This claims look ridiculous this morning. Looks like an epic hack, seriously cool.

Re:The Edge of Karma

[twistedcubic]

Now that the bugs are discovered and will be patched, it will be the most secure browser.

Re:The Edge of Karma

[michael_wojcik]

I never use Edge, so it's the most secure browser for me!

Well, tied with Opera, Safari, Konqueror, Vivaldi, Sea Monkey, Mosaic,[1] HotJava, ...

Of course, "most secure browser" is far too vague to mean anything. There's no threat model specified, and web browsers now do so many things that their "security" is extremely nebulous. The claim is just puffery, like "Microsoft cigarettes are the smoothest!".

[1] I used to use Mosaic, back in 1993, but I've given it up since.

Great!

[Gravis+Zero]

I love that people are exposing exploits in Linux (new or old versions) because it means we all get fixes and a little more safety from the bad guys. :)

Re:Great!

[Carewolf]

I love that people are exposing exploits in Linux (new or old versions) because it means we all get fixes and a little more safety from the bad guys. :)

Well, these are white hats, so not really bad guys. I do hope however they have some way of reporting these bugs upstream before revealing them.

Re: Great!

[Zero__Kelvin]

GZ never stated or implied that THESE guys were the bad guys. You seem to have had a momentary reading comprehension lapse.

Re: Great!

There is no comment threat on Slashdot where you aren't a raging asshole. I'd tell you to go fuck yourself, but I have a feeling you've been doing that for a long time.

Re:Great!

Not sure why you're excited because security isn't the priority people make it out to be. Even Linus thinks security researchers are weird. This failure in attitude will spread like cancer and you can expect some epic exploits going forward. Microsoft knows all about that.

Re: Great!

[valdezjuan]

Most of the vendors are the ones putting up the cash, they are certainly paying attention.

Predictable outcomes

Edge biggest problem isn't being hacked, its that nobody uses it anyway. Edge is improved over Internet Explorer but in some ways it still has the problems of Internet Explorer. That being tied into Windows and carrying over IE code that obviously has problems even today. Safari is basically another IE only for Mac. Apple has pretty much ignored Safari on Mac OS lately. I'll be interested to see how Chrome OS holds up or Mac OS. Windows 10 I expect will fall pretty easily too.

Re:A Request

[lucm]

These vulnerabilities are insignificant and will be fixed, so let's talk about the far more important and pressing issues of race and race relations.

You mean like diversity hiring initiatives in Silicon Valley?

pwn2own?

Did somebody not tell these kiddies that pwn is a deliberate misspelling of 'own', that still means 'own'? So... own to own? dee dee dee.

Re:pwn2own?

maybe pwn in that context is to hack or to crack in order to own those free goodies and prizes.

Surprise!

"We used a JavaScript engine bug within..."

I'd love to see Ubuntu vs. OpenSUSE

Ever since Canonical partnered with Micro$oft, I've stopped using Ubuntu and tried other distros, my favorite so far being OpenSUSE. I built a custom distro with SuseStudio back before they eliminated 13.2 support and I even got my 32-bit distro to use PAE kernel 4.10 and has been doing so for quite some time now, so cracking 4.8? Is that what Ubuntu 16.04 LTS comes with? Runs a crap load faster on my 9 year old laptop too.

Re: I'd love to see Ubuntu vs. OpenSUSE

Never mind. It was 16.10, but still should of tried 4.10 for the kernel version.

Re:A Request

Nothing to discuss. We have national and historical averages telling us We are much better and it is them who want to be HERE, so the best solution is to let them extinguish in peace, EIP, so we can continue making this planet more Human like. Ditto.