VANCOUVER – It’s become a familiar walk for Chaouki Bekrar. Year after year at the Pwn2Own contest, the controversial Vupen founder is scurried from a small room in the basement of the Sheraton hotel to a suite several floors above. It’s a short journey from where a string of zero-day exploits are executed to where formal disclosure is made to the vendor in question. It’s also where payment is arranged, and on this day, exclusivity is promised to HP’s Zero Day Initiative.
Bekrar, left, made this trek four times on Wednesday, earning close to $400,000 in the process and cementing his place as perhaps one of the most divisive people in security. Vupen, a French company, is well known as an exploit vendor and its magnetic figurehead stands by his well-worm mantra that the zero-days they develop are exclusively for customers, a list that includes a number of NATO governments. Vupen, Bekrar said, will not sell zero-days to repressive regimes.
“I believe our industry is now normal business,” Bekrar said. “Now a lot of companies, most in the U.S., are doing the same research as Vupen and selling to government customers. It’s become common and nothing surprising.
“Not one of our exploits have ever been discovered in the wild,” Bekrar added. “All of our customers use exploits in a targeted way for specific national security missions.”
Vupen, like other research outfits, used to disclose zero-day vulnerabilities to vendors, but that changed in 2010 because most vendors were reticent to support bug bounty programs or compensate bug hunters.
“We were trying to convince vendors to put bounties in place and no one accepted this,” Bekrar said. “We moved to another model which is a paid subscription model; the aim for us is the same, protect our customers.”
Now, Google, Facebook, Yahoo and many other technology companies have instituted some sort of bug bounty program. Microsoft take on bounties—paying for mitigation bypasses—was admittedly a shot across the bow of exploit vendors such as Vupen and a reaction to a growing trend of researchers no longer disclosing directly to Microsoft but instead through a broker.
“I’ve been working on this for a while and this is the first time the research told us that the majority of people were going through brokers,” said Microsoft senior security strategist Katie Moussouris in June when the program launched. “If we can find these holes as early as possible, we can protect against whole classes of attack. We don’t want to wait for a third party.”
Microsoft has paid out a pair of $100,000 bounties for bypasses of its ASLR and DEP mitigations in Windows. A similar program for Internet Explorer vulnerabilities—with smaller payouts—was also launched but only for a month.
“They have a bounty for techniques, however the number of techniques is limited,” Bekrar said. “So the scope of the bounty is pretty small.”
Bekrar and his team of Vupen researchers did earn a $100,000 payout today for the IE 11 zero-day. He said the Vupen exploit took down a use-after-free vulnerability combined with an “object confusion” to bypass the IE sandbox.
“It’s definitely getting harder to exploit browsers, especially on Windows 8.1,” Bekrar said. “Exploitation is harder and finding zero-days in browsers is harder.”
Vupen also successfully exploited Firefox, exploiting another user-after-free bug to bypass ASLR and DEP memory protections in Windows.
“The Firefox zero-day we used today we found it through fuzzing, but it required 60 million test cases. That’s a big number,” Bekrar said. “That proves Firefox has done a great job fixing flaws; the same for Chrome. Chrome has the strongest sandbox, so that’s even more difficult to create exploits for.”
Vupen has a Chrome zero day it plans to exploit tomorrow possibly for another $100,000. It is also registered for a try at Safari, but the Keen Team is first on the docket against Safari and depending on what happens there, Bekrar said Vupen may not try its Safari zero day. Vupen also withdrew a planned Java exploit that required a click-to-play bypass that offered a $30,000 prize.
Vupen also successfully exploited Adobe Reader and Flash running in Internet Explorer 11 on a patched 64-bit Windows 8.1 machine. Each of the Adobe vulnerabilities and exploits were worth $75,000.
The Adobe Reader exploit was the first of Pwn2Own. Vupen chained together a heap overflow exploit and a native PDF sandbox escape to beat Reader XI. The Flash exploit, meanwhile, required three zero-days, Bekrar said, a use-after-free, a JIT spray and a sandbox escape.
“The first motivation for coming to Pwn2Own is the challenge to show that even the most secure browsers and products can still be compromised,” Bekrar said, adding that all of the exploits used at Pwn2Own were developed for the contest and were not shared with customers beforehand.
Mozilla had a busy day with three zero-days disclosed against Firefox. Beyond Vupen, Mariusz Mlynski, a Polish researcher who has been credited with reporting dozens of Firefox bugs, and Juri Aedla, a frequent Chrome bug-finder, won $50,000 each for toppling the Mozilla browser.