Safari, Flash Fall at Pwn2Own 2016 Day One

Hackers took down Apple Safari and Adobe Flash earning $282,500 in prizes on Wednesday, the first day of the annual Pwn2Own hacking challenge in Vancouver.

Apple Safari and Adobe Flash have proved to be Pwn2Own 2016’s biggest punching bags so far—hackers took down both, earning $282,500 in prizes at the first day of the annual hacking challenge in Vancouver on Wednesday.

There were four successful attempts, one partial, and one failed attempt at the competition, which is held in tandem with the CanSecWest security conference and hosted jointly this year by Hewlett Packard Enterprise, Trend Micro, and the Zero Day Initiative.

JungHoon Lee, working as lokihardt, started off the day by taking down Safari. Lee, who was a newcomer to the competition last year, managed to chain together four different bugs, including a use-after-free vulnerability and a heap overflow bug to break the browser and escalate his privileges, earning him $60,000. Last year Lee set a record on the competition’s second day when he earned $110,000 in just two minutes and broke both stable and beta versions of Google Chrome.

Tencent Security Team Shield, a combination of Pwn2Own stalwarts KeenLab and PC Manager, took down Safari again later Wednesday afternoon by leveraging a use after free vulnerability in a privileged process, giving them root-level escalation.

The biggest coup of day one came when hackers working with 360Vulcan Team took down Flash, earning them the biggest single payout of the day, $80,000. The group leveraged a type confusion bug in the platform, combined with a Windows kernel bug, to escalate from user mode to SYSTEM.

Flash continued to be the target of choice the rest of the afternoon. Tencent Security Team Sniper earned $50,000 by exploiting an out-of-bounds bug in Flash, then an infoleak in Windows kernel. After tying them together the group used the bugs to exploit a use-after-free vulnerability to achieve SYSTEM-level code execution.

tencentHackers working with Tencent Xuanwu Lab attempted to break Flash by including SYSTEM-level elevation but couldn’t carry the exploit out in the allotted 15 minute time frame.

Hackers with 360Vulcan Team, fresh from breaking Flash earlier in the afternoon, partially broke Google’s Chrome browser on Tuesday. The group used an out-of-bounds access bug that Google was aware of, along with three use-after-free vulnerabilities, but ran into a bug collision. While the attempt resulted in what Pwn2Own officials called a “partial win” they still earned $52,500, bringing their one-day total to $132,500.

This is the first year that entrants have been given the option to exploit VMware’s Workstation, which is running on the Windows machines at Pwn2Own. By escaping the virtual machine, competitors can earn $75,000, but no one targeted it Wednesday, and it’s not slated as a target for any teams for Thursday.

The groups will give it another go today, the competition’s second day, and get another shot at breaking Safari, Chrome, Flash, along with Microsoft’s Edge browser, which was left out of Wednesday’s attempts.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.