Flash, Reader, Firefox and IE Fall on Pwn2Own Day 1

Four different research teams cracked four different products on Wednesday–Adobe Flash, Reader, Mozilla Firefox, and Microsoft Internet Explorer—and collectively earned a payout of $317,000 on the first day of Pwn2Own 2015.

Four different research teams on Wednesday cracked four products–Adobe Flash, Reader, Mozilla Firefox, and Microsoft Internet Explorer—and collectively earned a payout of $317,000 on the first day of Pwn2Own 2015.

The annual hacking contest, which kicked off Wednesday in Vancouver, runs concurrently with CanSecWest and is hosted by HP’s Zero Day Initiative and Google’s Project Zero.

The group of Chinese hackers that took down Flash last year, KeenTeam, targeted Flash once again yesterday. Alongside Zeguang Zhao, a researcher working under the guise of Team509, KeenTeam’s Peter Hlavaty, Jihui Lu, and Wu Shi exploited Flash running on a 64-bit Windows machine by using a heap overflow vulnerability, then used a local privilege escalation bug in the Windows kernel via TrueType fonts to bypass its defensive measures. The four researchers earned $60,000 for the Flash hack, which took all of 30 seconds, and an extra $25,000 for the escalation bug.

nicoNicolas Joly, formerly of the French exploit vendor Vupen, took down Flash with a use-after-free vulnerability and a sandbox escape directory traversal vulnerability, but since Joly’s name was picked after Keen Team’s and Team 509’s, which had already broken Flash, his vulnerability paid only $30,000. Joly, right, followed his Flash attack by breaking Reader three times, once with an info leak vulnerability, again with remote code execution, and a third time by leveraging an integer overflow to exploit the broker, which earned him an additional $60,000.


KeenTeam also collaborated with Jun Mao, working with Tencent PC Manager, to take down Adobe Reader. KeenTeam’s Lu and Mao bypassed the software’s PDF security protections with an integer overflow bug, and later achieved pool corruption by disrupting kernel mode memory with another TrueType font vulnerability. The Reader bug was worth $30,000 since Joly had already broken Reader earlier in the competition, but the second bug, which gave them system access, earned the researchers an additional $25,000.

Mariusz Młyński, a security researcher from Poland who used two vulnerabilities to gain privilege escalation in Firefox 27 last year, targeted the browser again this year. Młyński earned $55,000 for digging up two bugs, a cross-origin vulnerability that eventually led to privilege escalation, all within the span of .542 seconds.

According to HP Security Research’s Dustin Childs there was a fundamental Windows flaw that figured into Młyński’s Firefox hack and that Microsoft has been notified of the vulnerability.

Microsoft wasn’t left out of the party. A new entrant in the competition, JungHoon Lee, working with 360Vulcan Team, broke a 64-bit version of Internet Explorer 11 with an uninitialized memory vulnerability to earn $32,500.

Contest entrants will get a second chance at cracking Internet Explorer, along with Apple Safari and Google Chrome during Day Two of the competition later today.

Suggested articles