Two researchers on Thursday took down the four major browsers, Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, as Pwn2Own, the annual hacking contest that runs in tandem at CanSecWest, wound down in Vancouver.
The story of the day was Korean researcher Jung Hoon Lee, who worked alone under the name lokihardt and earned the single highest payout for an exploit in the competition’s history, a staggering $110,000 in just two minutes.
Using more than 2000 lines of code, Lee was able to take down both stable and beta versions of Chrome by exploiting a buffer overflow race condition in the browser. He then used an info leak and race condition in two Windows kernel drivers to secure SYSTEM access. The standalone Chrome bug fetched Lee $75,000 while the privilege escalation bug scored him another $25,000. To finish it off Google’s Project Zero, as it usually does when Chrome is hacked at the event, paid Lee an extra $10,000.
After the competition, Lee, who went on to own two other browsers yesterday, told HP Security Research’s Dustin Childs that the Chrome exploit was the toughest to pull off. He told Childs via translator that not only was it was his first time writing Native Client code but it was his first time dealing with a kernel exploit.
Firefox, IE 11, Chrome and Safari all fall on day two of #Pwn2Own #CanSecWest via @Threatpost
Tweet
Earlier in the day, Lee earned $65,000 for popping a 64-bit version of IE 11 with a time-of-check to time-of-use (TOCTOU) vulnerability. The vulnerability, exploited between the time a file property is checked and the time the file is used, usually leads to privilege escalation. In this case the attack enabled him read/write privileges on the browser while another attack he used, a sandbox escape via JavaScript injection helped him evade defensive mechanisms on the browser.
Lee wasn’t done and went on to bolster his daily total to $225,000 later in the day by using a use-after-free vulnerability to take down Safari. Lee exploited an uninitialized stack pointer in the browser, something that bypassed its sandbox and netted him an additional $50,000.
Lee made some noise after a relatively quiet first day of Pwn2Own on Wednesday, when working with 360Vulcan Team, he helped break IE 11 with a separate uninitialized memory vulnerability.
A researcher operating under the pseudonym ilxu1a took out Mozilla to start the day. Using an out-of-bounds read/write vulnerability he claims he found through static analysis, ilxu1a’s attack led to medium-integrity code execution in what ZDI called “sub-seconds,” earning $15,000.
Ilxu1a attempted to hack Chrome as well but couldn’t get his info leak exploit to work properly.
With Pwn2Own, a hacking competition hosted by HP’s Zero Day Initiative and Google’s Project Zero, drawing to a close the final tally for bugs over the past two days is as follows:
- Microsoft Windows: 5 bugs
- Microsoft IE 11: 4 bugs
- Mozilla Firefox: 3 bugs
- Adobe Reader: 3 bugs
- Adobe Flash: 3 bugs
- Apple Safari: 2 bugs
- Google Chrome: 1 bug
- $442,500 paid out to researchers