VANCOUVER – One is the bug hunter, the other the exploit specialist.
Fang Jiahong and Liang Chen represented the Keen Team at Pwn2Own on Thursday, starting off the second day of the annual exploit festival with a quick takedown of Apple’s Safari browser. They then wrapped up the contest with a successful zero-day exploit of Adobe Flash, the second time the Adobe product was toppled.
For 2½ years, this emerging team of eight vulnerability researchers and exploit developers from China has nudged its way into the fray that is bug hunting and exploitation. Today’s Pwn2Own Safari win netted the Keen Team a $40,000 prize; the Flash bug $75,000. They said they will donate a portion of their winnings to charities representing the families of the missing Malaysian Airlines flight MH370.
Last November, the Keen Team won the Mobile Pwn2Own contest in Japan, cracking iOS 7.0.3 three weeks after the update was available to users. The victory was the first for a Chinese collective since the contest began six years earlier.
Jiahong and Chen, along with the remaining members of Keen Team, have known each other for the better part of a decade, beginning their careers working for Microsoft after graduating from Jiao Tong University in Shanghai with degrees in information security.
Jiahong’s passion, he said, is digging for vulnerabilities, not only in Apple’s various platforms, but also for Microsoft products and mobile platforms. Android is his current area of focus.
“Liang is good at exploiting issues in different systems, advanced exploitations,” Jiahong said. “We have several people working on vulnerability digging, new ways of finding vulnerabilities and researching into other areas of infosec like Web security and mobile. We have a team of people focusing on vulnerability studies including exploitation.”
For their Pwn2Own Safari bug, Chen said Keen Team exploited two vulnerabilities: a heap overflow in the Safari Webkit that gave them arbitrary code execution. That wasn’t enough to pwn the underlying Mavericks version of OS X. Chen said he had to chain together two vulnerabilities to successfully exploit the system.
“We utilized another system vulnerability to bypass the sandbox to get a process running in the user’s context,” he said. The bugs were disclosed to HP’s Zero Day Initiative, which sponsored Pwn2Own and bought all of the vulnerabilities exploited during the contest. Apple was present as well for the disclosure.
“I think the Webkit fix will be relatively easy,” Chen said. “The system-level vulnerability is related to how they designed the application; it may be more difficult for them.”
Chen said the big challenge was bypassing the Safari sandbox because the exposed attack surface is so small compared to Internet Explorer, for example.
“For Apple, the OS is regarded as very safe and has a very good security architecture,” Chen said. “Even if you have a vulnerability, it’s very difficult to exploit. Today we demonstrated that with some advanced technology, the system is still able to be pwned. But in general, the security in OS X is higher than other operating systems.”
Jiahong can now focus on finding bugs in mobile operating systems, Android in particular. Android’s fragmentation—multiple vendors and hardware carriers each with their own flavor of Android and update policies—requires deeper study of the OS compared to iOS. Researchers, he said, focus only on the latest version of iOS because most users are on the latest rev.
“Google has been very good about security, but vendors write their own code or hardware vendors write their own kernel modules and drivers,” Jiahong said. “Your (research) methodology may not apply to every system.”