Edge, VMWare, Safari, And Ubuntu Linux Hacked at Pwn2Own 2017

The 10th annual Pwn2Own hacking competition ended Friday in Vancouver. Some of the highlights:

• Ars Technica reports one team "compromised Microsoft's heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in... by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware."
• Digital Trends reports "Samuel Grob and Niklas Baumstark used a number of logic bugs to exploit the Safari browser and eventually take root control of the MacOS on a MacBook Pro, [and] impressed onlookers even more by adding a custom message to the Touch Bar which read: "pwned by niklasb and saelo."
• Ubuntu 16.10 Linux was also successfully attacked by exploiting a flaw in the Linux 4.8 kernel, "triggered by a researcher who only had basic user access but was able to elevate privileges with the vulnerability to become the root administrative account user..." reports eWeek. "Chaitin Security Research Lab didn't stop after successfully exploiting Ubuntu. It was also able to successfully demonstrate a chain of six bugs in Apple Safari, gaining root access on macOS."
• Another attacker "leveraged two separate use-after-free bugs in Microsoft Edge and then escalated to SYSTEM using a buffer overflow in the Windows kernel."

None of the attendees registered to attempt an attack on the Apache Web Server on Ubuntu 16.10 Linux, according to eWeek, but the contest's blog reports that "We saw a record 51 bugs come through the program. We paid contestants $833,000 USD in addition to the dozen laptops we handed out to winners. And, we awarded a total of 196 Master of Pwn points."

Re:Have fun with those Pwn points!

[ColaMan]

That's the whole point of the competition.

The cash prize + internet fame is designed to be enough of an incentive for you to give out the details instead of selling it on the black market.

Re:Have fun with those Pwn points!

[tgv]

Not everybody is a greedy bastard.

Do security researchers trust those laptops?

[Foresto]

"...the dozen laptops we handed out to winners."

I wonder whether the security researchers who were given those laptops would ever consider trusting those laptops.

I suppose they would be useful as test hardware regardless.

Re:Do security researchers trust those laptops?

[drinkypoo]

I wonder whether the security researchers who were given those laptops would ever consider trusting those laptops.

If they're not compatible with coreboot, then I would sell it immediately.

Re: Do security researchers trust those laptops?

[UnknowingFool]

Well no system is perfect and I think you as assuming those systems are never patched ever. From what I know about the contest, the software version is frozen for the contestants so it is not a moving target. In some cases the exploit might already be fixed in the most current version.

Chain of 6 Exploits

[mentil]

It was also able to successfully demonstrate a chain of six bugs in Apple Safari, gaining root access on macOS.

I have a feeling as security gets more sophisticated, these chains will get longer. Eventually, the chain will get too long for a human cracker to think up themselves, and software will be needed which classifies and chains together vulnerabilities to achieve a desired effect. Then it's a short auto-bug-finder away from allowing a self-sustaining botnet that adapts to security upgrades, and could become permanently out of control if the C&C is taken down/abandoned.

Breaking out of VMware

[rene2]

is the most impressive. Heads up for that achievements!

Re:Breaking out of VMware

[swb]

But only workstation.

It'd be impressive if someone could break out of an ESXi hypervisor and then compromise vCenter. Maybe have some kind of command/control daemon on vCenter allowing implanting VMs.

The Edge of Karma

[EditDistance]

Only yesterday, Microsoft was shoving advertisements for Edge in my face and proudly proclaiming it was the most secure browser... This claims look ridiculous this morning. Looks like an epic hack, seriously cool.

Great!

[Gravis+Zero]

I love that people are exposing exploits in Linux (new or old versions) because it means we all get fixes and a little more safety from the bad guys. :)

Re: Great!

[valdezjuan]

Most of the vendors are the ones putting up the cash, they are certainly paying attention.

Re:use-after-free bugs in Microsoft Edge

[behrooz0az]

In a single AppDomain with one single thread and no lazy references, sure. If you write anything complex it can go straight to hell if you don't know exactly what you're doing.
This includes every little messy detail on the multi-threaded multi-domain marking garbage collector with 3 lists and 5 heaps that traverses stacks of all threads on each collect, type inheritance with type casting direction, native calls with auto marshaling between managed and native types, AppDomains that should read eachothers' memory but not write it, etc.
Source: C# developer since 2k3

Re:Have fun with those Pwn points!

[Gavagai80]

Being rich doesn't make anyone greedy. Being greedy makes them rich.

Re:Have fun with those Pwn points!

[lucm]

Being greedy makes them rich.

You clearly never met my mother-in-law.

Re: Have fun with those Pwn points!

[drinkypoo]

It's not fact. Unless you have studied, psychologically profiled; including various other tests, every single person that kept getting richer and richer, to see if they became more greedy, then, it's not fact.

If you're rich and getting richer while others are poor and keep getting poorer then you're greedy, and that's a fact, jack. Because all you have to do to not be greedy is share, and if you do that, you'll stop getting richer.

Greed is clearly a powerful motivator, but it can equally clearly be taken too far.

Re: Have fun with those Pwn points!

[valdezjuan]

That's not 100% true. Look at Gates and Buffet, they are getting richer but they are donating billions to charities and research, they are also not alone in doing that.