All Major Browsers Fall at Pwn2Own Day 2

Two researchers took down the four major browsers, Internet Explorer, Firefox, Chrome, and Safari yesterday as Pwn2Own wrapped up in Vancouver.

Two researchers on Thursday took down the four major browsers, Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, as Pwn2Own, the annual hacking contest that runs in tandem at CanSecWest, wound down in Vancouver.

The story of the day was Korean researcher Jung Hoon Lee, who worked alone under the name lokihardt and earned the single highest payout for an exploit in the competition’s history, a staggering $110,000 in just two minutes.

Using more than 2000 lines of code, Lee was able to take down both stable and beta versions of Chrome by exploiting a buffer overflow race condition in the browser. He then used an info leak and race condition in two Windows kernel drivers to secure SYSTEM access. The standalone Chrome bug fetched Lee $75,000 while the privilege escalation bug scored him another $25,000. To finish it off Google’s Project Zero, as it usually does when Chrome is hacked at the event, paid Lee an extra $10,000.

After the competition, Lee, who went on to own two other browsers yesterday, told HP Security Research’s Dustin Childs that the Chrome exploit was the toughest to pull off. He told Childs via translator that not only was it was his first time writing Native Client code but it was his first time dealing with a kernel exploit.

Earlier in the day, Lee earned $65,000 for popping a 64-bit version of IE 11 with a time-of-check to time-of-use (TOCTOU) vulnerability. The vulnerability, exploited between the time a file property is checked and the time the file is used, usually leads to privilege escalation. In this case the attack enabled him read/write privileges on the browser while another attack he used, a sandbox escape via JavaScript injection helped him evade defensive mechanisms on the browser.

Lee wasn’t done and went on to bolster his daily total to $225,000 later in the day by using a use-after-free vulnerability to take down Safari. Lee exploited an uninitialized stack pointer in the browser, something that bypassed its sandbox and netted him an additional $50,000.

Lee made some noise after a relatively quiet first day of Pwn2Own on Wednesday, when working with 360Vulcan Team, he helped break IE 11 with a separate uninitialized memory vulnerability.

A researcher operating under the pseudonym ilxu1a took out Mozilla to start the day. Using an out-of-bounds read/write vulnerability he claims he found through static analysis, ilxu1a’s attack led to medium-integrity code execution in what ZDI called “sub-seconds,” earning $15,000.

Ilxu1a attempted to hack Chrome as well but couldn’t get his info leak exploit to work properly.

With Pwn2Own, a hacking competition hosted by HP’s Zero Day Initiative and Google’s Project Zero, drawing to a close the final tally for bugs over the past two days is as follows:

  • Microsoft Windows: 5 bugs
  • Microsoft IE 11: 4 bugs
  • Mozilla Firefox: 3 bugs
  • Adobe Reader: 3 bugs
  • Adobe Flash: 3 bugs
  • Apple Safari: 2 bugs
  • Google Chrome: 1 bug
  • $442,500 paid out to researchers

Suggested articles

Discussion

  • Jeroen van der Tuin on

    Holy hell that's a lot of money. I wonder if any user interaction was necessary to run the exploits in the browser or if all that is necessary is just going to the website without clicking on anything.
  • annag on

    How do Opera and Vivaldi compare?
  • annag on

    What about Opera and Vivaldi?
    • Kyle on

      As for opera / vivaldi: Security through obscurity!
    • Avi on

      both are Webkit/blink based, we can only assume they fell too
    • amarantini on

      @annag: Since Opera uses BLINK(same as chrome) they're probably vulnerable to the same bugs as Chrome. Vivaldi probably wasn't included in the event, given that they're such a small browser. as for vivaldi...good question, they seem to be the only browser around using chromium rendering engine anymore! =P
    • hacker on

      What about them?
      • jeremy on

        They're not major browsers
        • DedraterSresu on

          Yes they are... they're BOTH built off the Chromium project BY Google.
  • Nicholas Leader on

    "ht2000" typo
  • twerpzzz on

    using more ht2000 lines of code is this correct? my brain read it as "more than 2000 lines"
  • Matt on

    Insane the amount of money, but well worth it to find exploits. Hackers get a bad name, but we need them badly. They help make security systems stronger. Check out an article I recently published on the topic of hacking in the headlines:www[dot]confessionsoftheprofessions[dot]com/big-business-hacking-infographic/
  • ted on

    What about Java?
  • LAB on

    Annag: since they're flavours of google chrome these days, I'm pretty sure they'll be affected as well.
  • Ruben on

    pwn2own What a stupid name
  • Paul Keith on

    were all these browsers running on one operating system? Would they have been attackable on other operating systems? Perhaps it is about time real information was given about why computer vulnerabilities really exist.
  • hd on

    Both Opera and Vivaldi use the same Blink engine as Chrome. Not sure if that translates to the same vulnerabilities but is a point. (The second point is that they probably don't want to spend money on such a test and use the Blink testing lessons anyway).
  • kifah on

    Opera is using chromium open source. It falls behind the google chrome browser
  • kifah on

    can some body please tell me what do they mean by ht2000 lines of code? Is it really 2000 lines?
    • Chris Brook on

      That was a typo. JungHoon said in the video that the Chrome exploit was over 2000 lines of code he wrote.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.