Apple Safari and Adobe Flash have proved to be Pwn2Own 2016’s biggest punching bags so far—hackers took down both, earning $282,500 in prizes at the first day of the annual hacking challenge in Vancouver on Wednesday.
There were four successful attempts, one partial, and one failed attempt at the competition, which is held in tandem with the CanSecWest security conference and hosted jointly this year by Hewlett Packard Enterprise, Trend Micro, and the Zero Day Initiative.
JungHoon Lee, working as lokihardt, started off the day by taking down Safari. Lee, who was a newcomer to the competition last year, managed to chain together four different bugs, including a use-after-free vulnerability and a heap overflow bug to break the browser and escalate his privileges, earning him $60,000. Last year Lee set a record on the competition’s second day when he earned $110,000 in just two minutes and broke both stable and beta versions of Google Chrome.
#Pwn2Own 2016: Code execution inc/ root priv escalation. 10 points and US$60K for JungHoon Lee (lokihardt).
— Zero Day Initiative (@thezdi) March 16, 2016
Tencent Security Team Shield, a combination of Pwn2Own stalwarts KeenLab and PC Manager, took down Safari again later Wednesday afternoon by leveraging a use after free vulnerability in a privileged process, giving them root-level escalation.
Safari remote root No.1 done. Congratulations @chenliang0817 @fuyubin1993 @marcograss @flanker_hqd @team509
— KEENLAB (@keen_lab) March 16, 2016
The biggest coup of day one came when hackers working with 360Vulcan Team took down Flash, earning them the biggest single payout of the day, $80,000. The group leveraged a type confusion bug in the platform, combined with a Windows kernel bug, to escalate from user mode to SYSTEM.
#Pwn2own 2016: Attempt #2 Success! 360Vulcan Team: Flash type confusion bug with system priv escalation 13 Points $US80,000 #CanSecWest
— Zero Day Initiative (@thezdi) March 16, 2016
Flash continued to be the target of choice the rest of the afternoon. Tencent Security Team Sniper earned $50,000 by exploiting an out-of-bounds bug in Flash, then an infoleak in Windows kernel. After tying them together the group used the bugs to exploit a use-after-free vulnerability to achieve SYSTEM-level code execution.
Hackers working with Tencent Xuanwu Lab attempted to break Flash by including SYSTEM-level elevation but couldn’t carry the exploit out in the allotted 15 minute time frame.
Hackers with 360Vulcan Team, fresh from breaking Flash earlier in the afternoon, partially broke Google’s Chrome browser on Tuesday. The group used an out-of-bounds access bug that Google was aware of, along with three use-after-free vulnerabilities, but ran into a bug collision. While the attempt resulted in what Pwn2Own officials called a “partial win” they still earned $52,500, bringing their one-day total to $132,500.
This is the first year that entrants have been given the option to exploit VMware’s Workstation, which is running on the Windows machines at Pwn2Own. By escaping the virtual machine, competitors can earn $75,000, but no one targeted it Wednesday, and it’s not slated as a target for any teams for Thursday.
#Safari, #Flash Fall at #Pwn2Own 2016 Day One
Tweet
The groups will give it another go today, the competition’s second day, and get another shot at breaking Safari, Chrome, Flash, along with Microsoft’s Edge browser, which was left out of Wednesday’s attempts.
