VANCOUVER–Finding and exploiting new vulnerabilities in the major browsers has become a difficult exercise for security researchers, thanks to the exploit mitigations, sandboxes and other protections that Microsoft, Google and Mozilla have added in the last few years. The same has become true of Adobe Flash, but difficult is not the same as impossible, as the contestants at the Pwn2Own contest here have shown.
On Thursday, the team from French security firm VUPEN jumped through a series of hoops, chained together three separate zero-day vulnerabilities and successfully compromised the latest patched version of Flash as part of the contest. That feat won the company another $70,000, on top of the $180,000 it had won on Wednesday for successfully attacking Firefox and Internet Explorer 10.
Chaouki Bekrar said that compromising Flash has become much more difficult in recent years, thanks to the advances Adobe has made in protecting the plug-in.
“Flash is a different thing and it’s getting updated all the time and Adobe did a very good job securing it,” Bekrar said. “It’s more expensive to create a Flash exploit than a Java one. Every time Adobe updates Flash, they’re killing bugs and techniques and sandbox bypasses, and honestly, Adobe is doing a great job making it more secure.”
Other competitors also have had luck in this year’s contest, with a team from MWR Labs compromising Google Chrome on a Windows laptop on Wednesday. That team used a series of exploits and vulnerabilities in order to bypass the various memory protections in Windows, including ASLR and DEP, and used a separate kernel vulnerability to gain elevated privileges.
“We showed an exploit against previously undiscovered vulnerabilities in Google Chrome running on a modern Windows-based laptop. By visiting a malicious webpage, it was possible to exploit a vulnerability which allowed us to gain code execution in the context of the sandboxed renderer process. We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges,” MWR Labs said in an explanation of their technique.
“As with many modern operating systems, there were a series of memory protection mechanisms that needed to be bypassed before reliable code execution could be achieved. Specifically, Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) made it more challenging to develop a reliable exploit.
“We were able to exploit the first vulnerability in multiple ways, allowing us to leak the addresses of several objects in memory, calculate the base address of certain system dlls, read arbitrary data, and gain code execution. This allowed us to bypass ALSR by leaking the base address of a dll, and to bypass DEP by reading that dll’s .text segment into a javascript string, allowing us to dynamically calculate the addresses of ROP gadgets.”
And researcher Joshua Drake compromised Java on Wednesday, as well.
Other entrants are expected to try their hand against some of the various targets in Pwn2Own later on Thursday. The separate Pwnium competition run by Google for its Chrome OS hasn’t seen any successful attempts as of yet.
